Cookies, Consent, and Compliance in the UK
The EU’s 2009 e-Privacy (“Cookie”) Directive is spreading across member states. To date, twenty out of twenty-seven member states have implemented some form of the cookie law. One of the countries currently grappling with cookie law is the UK with its Privacy and Electronic Communication Regulations (PECR), which were amended in 2011 and came into force on May 26 2012. The new cookie law, which combines the ‘consent principle’ from the Data Protection Directive (DPD) with the technical purview of the e-Privacy Directive, forces website operators to obtain “consent in order to store a cookie on a user or subscriber’s device.”
Previously, online actors in the UK were merely required to provide users and subscribers with the ability to opt-out of cookies, without having to provide much information about those cookies. Now, companies will have to provide clear and separate (from the existing privacy policy) information about cookies as well as solicit consent for their use. The new amendments have, however, led to debates about what constitutes “consent” and how to solicit it from online users.
Under PERC, online companies can rely on implied consent. This means that online companies are merely required to provide users with information about the cookies being used on the site, without requiring explicit action. Consent under PERC may diverge from the DPD, which seems to require that consent is communicated by the user, such as ticking a box. To be clear, continued use of a website after a user or subscriber is given information about the cookies used on that site can constitute implied consent. This is closer to an opt-out consent strategy.
Online companies in the UK have been working to implement their new cookie-consent strategies ahead of enforcement by the Information Commissioner’s office (ICO), which officially began this past weekend. While the responsibilities for online companies as set out in PERC have been criticized as being vague, the ICO and other actors have provided significant guidance on the matter. The ICO for example, has released its “Guidance on the Rules on the Use of Cookies and Similar Technologies,” which helps define “consent,” responsibilities that online companies now face, and “practical advice for those trying to comply.”
Despite the push to assist companies in implementing a cookie-consent strategy, many UK companies have found it difficult to contend with the new regulations. Difficulty stems from the legal subjectivity of PERC and technical obstacles, which include the large number of cookies used on most websites and the varying applications of each cookie (some of which are essential for website functionality).
The ICO, which has the ability to impose penalties as high as £500,000, has taken an openly lenient approach to enforcement because of the difficulties that UK companies are facing to ensure compliance. According to Dave Evans, group manager at the ICO, if a company can show that it has “taken some steps already” or that “they’ve got a realistic plan at the end of which they’ll be able to say they’ve achieved compliance” the ICO will not pursue monetary penalties.
It will be interesting to follow how UK companies work to comply with the new cookie law and develop their consent policies and cookie notices over the next few months.
–Julian Flamant
