New rules, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, came into force on the 26th May 2011. These change the law around the use of “cookies”. Instead of a simple obligation for websites to be clear about their use of cookies there is now a requirement to obtain opt-in consent.
As appears to be the case with several pieces of recent legislation, there is some confusion as to the actual requirements of the new law. The Information Commissioner’s Office (ICO) has recently published guidance on how websites can comply with the new law, though, is not definitive and leaves it up to businesses to decide how best to obtain the necessary consent.
The ICO advises businesses to:
- review the types of cookies their websites use and for what purposes;
- assess how intrusive those cookies are; and
- decide which options for obtaining consent will be appropriate for the different cookies used
Options suggested for obtaining consent include pop-ups and splash pages, tick boxes to t’s and c’s (not just relying on privacy policies), settings led consent and feature led consent.
The Government is working with browser makers to come up with a way to gather consent via browser settings, but there is no clear view on when, or if, this will ready! In the meantime the ICO has said that it will give businesses 12 months to change their use of cookies but has said that they should not simply rely on the Government coming up with a browser solution and so businesses would be wise to develop plans to address the use of cookies.
The new rules allow penalties to be imposed of up to £500K where there has been a serious breach that is likely to cause substantial damage or distress, although the ICO has said it expects monetary penalties only in limited circumstances. Further guidance on those circumstances is expected.
http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf