Summary and implications

A little over a year ago, we flagged concerns that the amendments to the European directive on privacy and electronic communications (ePrivacy directive) meant that the UK’s current pragmatic approach to the use of cookies could change. Under the present regime, the Information Commissioner’s Office (ICO) issued guidance indicating that it was acceptable to place cookies on a user’s computer then make available the information about how they are used and how they can be removed.

As we noted previously in our article New European laws could impact the use of cookies on websites from May 2011, the new amendments to the ePrivacy directive indicate the user must now give consent “having been provided with clear and comprehensive information” as to any processing involving cookies. The revised text of the ePrivacy directive make a pragmatic interpretation more difficult, and it is not yet clear whether ICO will be as practical as it has been previously.

In a consultation, the UK government’s Department for Business, Innovation and Skills, (BIS) acknowledged the real significance of the use of cookies in websites. Nevertheless the proposals they put forward to implement the change were to simply copy the text from the European directive. The Department for Culture, Media and Sport is currently drawing up the regulations, but anticipates they will be late.

If it does, given that the EU’s Article 29 Working Party, which includes the Information Commissioner, has taken the view that browser settings cannot be a means to collect specific, informed consent from website users, we are left with doubt on how ICO will approach this.

  • BIS is expected to publish the response to the implementation consultation within the next month. This should give an indication as to whether the uncertainty will continue until we have ICO guidance.
  • If the copy-and-paste approach is used by government for the final implementing legislation, businesses will hope for pragmatic ICO guidance. While the government has hinted at this, ICO is autonomous and given the Article 29 Working Party view this cannot be guaranteed.  
  • EU and overseas businesses operating EU-accessible websites using cookies should watch developments carefully, and should consult their web developers to consider contingency plans for website pop-ups and landing pages to obtain consent if pragmatic guidance is not issued.

Proposed implementation

Many view the UK’s implementation proposal as a missed opportunity to remove the lingering concerns that businesses may have that the revised legislation could still require them to change their websites to use new “landing pages” or pop-ups to ask for specific consent before placing cookies on users' machines.  

This may seem strange given the acknowledgement of the importance of cookies to the usability and ongoing operation of many websites in both the consultation document and the impact assessment document published alongside it. However, any implementation which deviated significantly from the European text to address this issue could have opened the government up to challenge from any individuals and organisations who felt that the directive had not been implemented correctly – with damages as a potential remedy.

A hope for pragmatic guidance?

The wording of the consultation document refers to the words “strictly necessary… to provide the service” shortly after mentioning the level of dependency of many websites on cookies.  

Given this statement comes just after two sentences discussing how integral cookies are to providing website services, it seems to indicate that BIS is hoping for ICO to issue pragmatic guidance on how the phrase “strictly necessary” is to be interpreted. For more information  

This approach might provide ICO with a way to sidestep the Article 29 Working Party view on obtaining user “consent” to place cookies, but it may still be unwilling to stretch the interpretation of “strictly necessary” too far.  

The consultation is now closed, but the BIS consultation documents are available here The consultation is called “Implementing the revised EU Electronic Communications Framework – Overall approach and consultation on specific issues”.  

Those using cookies (particularly tracking cookies) should probably still be concerned, as if ICO issues less pragmatic guidance there is now far less time for businesses to implement changes to websites.