The EU’s 2009 e-Privacy (“Cookie”) Directive is spreading across member states. To date, twenty out of twenty-seven member states have implemented some form of the cookie law. One of the countries currently grappling with cookie law is the UK with its Privacy and Electronic Communication Regulations (PECR), which were amended in 2011 and came into force on May 26 2012. The new cookie law, which combines the ‘consent principle’ from the Data Protection Directive (DPD) with the technical purview of the e-Privacy Directive, forces website operators to obtain “consent in order to store a cookie on a user or subscriber’s device.”
Under PERC, online companies can rely on implied consent. This means that online companies are merely required to provide users with information about the cookies being used on the site, without requiring explicit action. Consent under PERC may diverge from the DPD, which seems to require that consent is communicated by the user, such as ticking a box. To be clear, continued use of a website after a user or subscriber is given information about the cookies used on that site can constitute implied consent. This is closer to an opt-out consent strategy.
Despite the push to assist companies in implementing a cookie-consent strategy, many UK companies have found it difficult to contend with the new regulations. Difficulty stems from the legal subjectivity of PERC and technical obstacles, which include the large number of cookies used on most websites and the varying applications of each cookie (some of which are essential for website functionality).
The ICO, which has the ability to impose penalties as high as £500,000, has taken an openly lenient approach to enforcement because of the difficulties that UK companies are facing to ensure compliance. According to Dave Evans, group manager at the ICO, if a company can show that it has “taken some steps already” or that “they’ve got a realistic plan at the end of which they’ll be able to say they’ve achieved compliance” the ICO will not pursue monetary penalties.
It will be interesting to follow how UK companies work to comply with the new cookie law and develop their consent policies and cookie notices over the next few months.