The Electronic Communications and Wireless Telegraphy Regulations 2011 and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into effect on 26 May 2011 in the UK, implementing into national law amendments made to the EU Communications Framework in 2009.

Some of the changes introduced by the new Regulations – such as compulsory notice of security breaches - apply only to communications service providers. However, one amendment will affect practically all businesses with a website: since 26 May 2011 prior consent from users has been required in order to use cookies.

What do the new rules cover?

Both the original and new rules apply to storing or gaining access to information in the terminal equipment of a subscriber or user. This is generally understood to mean "cookies" (small files downloaded on to a user's computer when they access a website, which allow the website to recognise the user’s computer). However, similar technologies for storing information are also covered by the rules (for example, "Locally Stored Objects", also known as "Flash Cookies").

How have the rules changed?

The UK's rules on cookies are set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (as amended). Under the original version of the rule, companies using cookies were required to: (a) provide users with "clear and comprehensive information" about the use of cookies; and (b) give users the opportunity to "refuse the storage of or access to that information". Many companies did this by putting information about cookies in their privacy policies and giving people the possibility of "opting out", often by explaining how they could set their internet browser settings to block cookies.  

Under the amended Regulation 6, companies must still provide "clear and comprehensive information" about their use of cookies. However, cookies can then only be placed on machines where the user has also given their prior consent. In other words, the regime has changed from an "opt-out" to an "opt-in" approach.

Are there any exceptions?

There are two exceptions: Regulation 6 does not apply where cookies are "strictly necessary" for the provision of a service that has been requested by the user or where the storage of or access to information is for the sole purpose of carrying a transmission of a communication over a network. The Guidance published by the Information Commissioner's Office (the "ICO") who will regulate the new rules says that this is a "narrow" exception that is "limited to a small range of activities" where the "cookie must be related to the service requested by the user". The ICO gives the example of a cookie used to ensure that, when a user buys goods online and clicks the "add to basket" or "proceed to checkout" button, the site "remembers" what the customer chose on the previous page. In this case, the site would not be required to obtain users' consent for the cookies.

How can businesses comply with the new rules?

The ICO Guidance on changes to the rules on using cookies advises businesses to first of all: (i) check what type of cookies they use and how they use them; (ii) assess how intrusive their cookies are; and (iii) decide what solution to obtain user consent will be best in the circumstances. Options suggested by the ICO for obtaining consent include pop-ups, terms and conditions and website settings- or features-led consent. However, the ICO also advises that most internet browsers are not currently sophisticated enough to allow companies to rely on them to demonstrate that the user has given consent to cookies.

What happens if a business does not comply?

The new rules came into force on 26 May 2011, meaning that companies should technically already be in compliance. However, in its Guidance on Enforcing the revised Regulations, the ICO has acknowledged the difficulties faced by companies in achieving compliance. The ICO has therefore given a one year grace period for companies to "get their house in order". This does not mean that companies can ignore the new rules and the ICO Guidance confirms that companies will be expected to have a realistic plan in place to achieve compliance in the event of any complaint. It is also worth noting that the ICO will have the power to fine companies up to £500,000 for serious breaches of the Regulations.

What happens next?

Information Commissioner Christopher Graham has said that the Guidance is "is very much a work in progress" that "doesn’t yet provide all of the answers." The ICO would therefore "welcome further comments from others who have practical examples to share." In the meantime, companies should start undertaking an audit of the cookies used on their website and should consider what kind of approach it is most appropriate for them to take to obtain users' consent.

A copy of the new Regulations can be found here.