Despite the loud furore that has accompanied discussions on the proposed amendments to the cookies law since November 2009, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 quietly made it onto our statute books on 5th May 2011, whilst the country and commentators were focused on predicting the outcome of the referendum on AV. So what do the new rules say?
The rules are unambiguous in the requirement that the user must have given his or her consent to the storage of or gaining access to information stored in the user’s terminal equipment. However, as previously promised by DCMS, (see post here: http://privacylawblog.ffw.com/?p=92) the government has thrown website operators a lifeline by stating that “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
Before website operators start declaring that it is business as usual, they would be advised to consider the ICO guidance on the new law, published today and available here. The ICO has made it clear that they expect organisations to consider the new law and devise a “realistic plan to achieve compliance… [The ICO] would handle this sort of [organisation] very differently… from an organisation which decides to avoid making any changes to current practice. The key point is that you cannot ignore these rules.” Furthermore, the ICO has confirmed the view of DCMS and the European Commission in declaring that current browser settings are not sophisticated enough to signify a user’s consent and advises organisations to use another mechanism to gain consent. Helpfully the guidance does give some suggestions as to what these other mechanisms may look like and acknowledges that website operators may need to deploy a range of solutions depending on the nature of cookies used on their sites.
One area where the guidance is silent as to the means of complying with the new law is in relation to third party cookies, for example cookies used to serve targeted advertising; the ICO concedes that this will be the area that poses the greatest challenge whilst deferring to industry and other European data protection authorities. The advice offered is that “anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device”. Unfortunately this provides little assistance to those operators currently grappling with this issue, however it is yet another indication that initiatives such as the IAB self regulatory framework (see post here: http://privacylawblog.ffw.com/?p=86) will be the preferred route to compliance.
Both the regulator and industry are in uncharted waters; it will be a journey of discovery for all parties. Although the ICO has previously indicated that there will be a sunrise period in which it will not take enforcement action for breaches of the new law, the guidance is clear that despite the uncertainty and lack of clear solution, inaction will not be tolerated.