Use of cookies

On 26 May the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force.  These Regulations amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) in two main respects:  (i) organisations operating online must now get informed consent from their website users before using cookies; and (ii) the Information Commissioner's Office ("ICO") has been given new enforcement powers allowing it to deal with breaches of these Regulations.

Cookies are small text files placed by websites in users' browsers to track their activity.  The changes to PECR mean that operators of websites must now give information about how the website uses cookies to allow visitors to the website to decide whether to accept the cookies or not – ‘prior informed consent’.

Only cookies that are "strictly necessary" for a service requested by the user will be exempt from consent, such as cookies used to create an online "shopping basket" so the site can remember the goods chosen.  However, this is an extremely limited exception.

The ICO published guidance on the amended PECR on 9 May. The guidance advises that organisations need to: (i) consider what type of cookies or similar technology their website uses and for what purpose; (ii) assess how intrusive their use is; and (iii) decide on the best solution to obtain consent.  The guidance lists practical steps that organisations will need to take to be compliant with PECR, such as providing information about cookies and obtaining consent before a cookie is set for the first time.

New ICO Powers

The Regulations have also granted the ICO the following new powers:

  • Monetary penalty powers extended:  to fine organisations up to £500,000 for any serious breach of PECR, such as sending unwanted marketing emails and texts, as well as making live and automated marketing phone calls.
  • Compulsory notification for data security breaches: telecommunication companies and Internet Service Provider ("ISPs") must notify the ICO and their customers in certain circumstances if a personal data security breach occurs.  The ICO will also be able to demand information from such organisations to help with investigations into breaches of PECR and can fine up to £1000 for failing to notify.
  • Increased audit powers: to audit telecommunication companies and ISPs to determine if they are complying with their obligations under PECR.

Since the amendments came into force the ICO has announced that it will take a phased approach to enforcing compliance with the new rules.  The ICO has indicated that in some aspects it is looking for compliance straight away, but in relation to cookies it has indicated that it will not take enforcement action in the first twelve months as operators look to amend their websites to comply with the new rules.

This new law is already having an impact, not least on the ICO itself which amended its website as of 25 May to ensure that consent to use of cookies is obtained from visitors to the website.  Figures published in response to a Freedom of Information request showed a drop of around 90% in the number of recorded visitors to the ICO website since the law came into force.  The figures provided covered the period from 5 May to 16 June 2011.  If this is mirrored around the web it will have a significant impact on the data being collected.

Sony PlayStation security breach

The ICO already has powers to fine organisations up to £500,000 for data protection offences, which may be relevant in light of the recent Sony PlayStation data security breaches that the ICO is currently investigating.  In this incident it is alleged that 77 million Sony PlayStation users had their account and personal details stolen after hackers attacked their online network in April.  A second breach occurred two weeks later, with a further 25 million users' personal data being hacked.

All organisations that process personal information must ensure they keep data secure.  Sony has stated that it is taking steps to prevent future attacks, including enhanced levels of encryption and additional firewalls, but it will be interesting to see how the ICO responds.

Latest ICO fine

The ICO continues to make use of its powers to fine for serious breaches of the Data Protection Act.  The latest fine to be imposed is a fine of £120,000 on Surrey County Council in respect of three incidents where sensitive personal information was emailed to the wrong recipient.  In announcing the fine, Christopher Graham, Information Commissioner, stated that “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”