Privacy Directive - requirement for consent to cookies
On 26 May 2011, an amendment to the Privacy and Electronic Communications (EC Directive) Regulations came into force. From now on, users of websites have to be given clear and comprehensive information about the use of cookies and, importantly, have to have given their consent to the use of cookies. Previously, it was merely necessary for users to be given details of how to opt out.
Given the practical difficulties of obtaining consent without impairing the user's ability to browse the Internet easily, the Government is leaning heavily towards a browser-led solution under which browser settings can be used for the necessary consent to be given. However, it is the view of both the Government and the ICO that browsers do not presently contain the necessary settings sufficient to provide consent. The use of browser solutions is therefore a mid term solution awaiting browser suppliers to make the necessary changes. This solution is not perfect, because not everyone will be using the new browsers and there may be issues with those accessing website on mobile phones.
As a result, the Government and ICO have decided to take a phased approach to implementation. No enforcement action will be taken for breach of the Regulations for a period of 12 months, ie before 26 May 2012. In the meantime, the ICO has said that it expects organisations to be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012.
There are two main official documents setting out the Government's present position. The first is the ICO guidance which can be found at click here. The second is a recent open letter from the DCMS setting out the Government's position in light of the difficulties of implementation. It can be found at click here.
As you might expect, the ICO has done what it can to comply with the new rules on its website. Every page of the website has wording at the top about the changes in the rules. The wording states that users may "delete and block all cookies from this site, but parts of this site will not work". There is a box to accept cookies and a link to its privacy notice. The privacy notice explains about cookies. It lists the three cookies that are used on the site, explains the purpose of each and gives a link to find further information. It also explains that cookies can be controlled from web browsers and gives a link to find out more information. The cookies used by the ICO seem innocuous and not intrusive – the relatively simple approach taken by the ICO might not work for all websites. PLC have used the ICO's approach in its revised privacy policy precedent. The aim is to revise the CR privacy policy precedent next week.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.