The United Kingdom's new laws for cookies and e-commerce will be enforced from 26 May 2012.
These laws were announced in April 2011 after a consultation in which Duane Morris participated. The consultation was triggered by a European Union Directive (the E-Privacy Directive (2009/136/EC)) introduced at the end of 2009. The E-Privacy Directive required each country in Europe to establish their own laws to meet the basic requirements of the Directive. The UK brought in new legislation—the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011—in May 2011 to do that. The new cookie laws in the UK apply to all data collected electronically, not just personal data. Personal data is also covered by separate data-protection laws across Europe, which are also in the process of revision as we reported in an earlier Duane Morris Alert.
In our earlier Alert, we covered some of the history behind the new laws. The UK Information Commissioner's Office (ICO) responded to a lack of clarity in the original legislation by announcing a one-year period of grace during which time it expected that it would not enforce the new laws. That grace period expires next month. The UK law applies not only to cookies but also to similar technologies for storing information. This could include flash cookies, web beacons or web bugs (also known as clear gifs). It will apply to cookies that expire at the end of a user's online session (known as session cookies) and those that are stored for longer (sometimes called persistent cookies).
Information to be provided
Cookies or similar devices should not be used, unless the user:
- is provided with clear and comprehensive information about what the cookies are doing and what is being stored; and
- has given his or her consent.
UK law does not detail the sort of information that should be provided, but the ICO feels that it should be "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so." A limited exception to the need to provide this information is where use of the cookie is strictly necessary to provide a service required by the user. This exception is likely to be narrowly interpreted, and the ICO feels it will be limited to cookies that are essential, rather than reasonably necessary.
"Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes it difficult to obtain consent before the cookie is set. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information that you provide is not just clear and comprehensive but also readily available."
The Guidance also maintains that the ICO would like compliance to stretch beyond organizations based in the UK, saying "Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided." Whether the ICO would try to assert jurisdiction over a U.S. website using cookies with European visitors (like the Spanish regulator has attempted to do) remains to be seen.
The rest of Europe
Each of the 27 countries in the EU were also due to implement their local laws by 25 May 2011 to meet their obligations under the Directive. Some have fared better than others, and interpretation of the Directive has varied across Europe. It is hard to foresee how rigorously these laws will be applied. Cookies have traditionally been one of the areas in which there is little harmony in Europe, and while hope remains that more countries will take the ICO's reasonable and balanced stance, that is by no means certain.
It should also be noted that existing powers also exist in consumer legislation to deal with unfair trade practices. These laws have been enforced more in the last few months, with the recent UK investigation into Groupon being just one instance. In the UK, the Consumer Protection from Unfair Trading Regulations 2008 gives the duty to regulators to act when a consumer is deceived about the presence of cookies, even when the information they have been given is correct. The penalties under the existing UK legislation include fines or a prison term of up to two years.
The debate over the use of tracking tools on websites has been developing for some time. Many website operators simply do not know how many cookies are on their sites. It can be challenging to meet the obligation to be transparent without that basic knowledge. Businesses may want to check their sites to determine where they are using cookies and what those cookies are doing. They also may want to stop using unnecessary cookies, especially those sending data to third parties. Businesses may then develop ways of informing visitors to their sites what is happening to their data and getting consent to those practices. Given that the law is still in a state of uncertainty, transparency should be the guiding principle of any business in its online activities.