- Guidance Published on New European "Cookie Law"
- May 23, 2011
- Law Firm: SNR Denton - Chicago Office
The new rules on use of website cookies and similar technologies for storing information on a user's computer or mobile device come into force on 26 May 2011. These rules are contained in the changes to the e-Privacy Directive (2002/58/EC), which also introduces a new data breach notification requirement for telecoms companies and ISPs.
- New Law on Cookies
- New Guidance Published
- Immediate Action Require
- Data Breach Notification
- The new rules present a challenge
- International and global business
New Law on Cookies
A cookie is a small file that can be downloaded to a PC or mobile device when the user accesses certain websites. A cookie allows the website to "recognize" the user's device. Cookies are used to enable websites to deliver a more customized and user-friendly experience.
The new rules are contained in Article 5(3) of the e-Privacy Directive, which will be implemented, in the UK, by an amended regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR). The new rules add an additional requirement in that you must obtain the consent of the relevant subscriber or user in order to store, or gain access to, information in the terminal equipment of the subscriber or user.
There is a limited exemption from the new consent rule in relation to the technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary in order for the provider of an information society service (i.e. an online/e-commerce service) explicitly requested by the subscriber or user to provide the service.
New Guidance Published
Immediate Action Required
The ICO advises you to take the following steps now:
- Check what type of cookies and other similar technologies you use and how often you use them.
- Decide what solution to obtain consent will be best in your circumstances.
It is important for businesses to address the above questions. If the ICO receives a complaint about a website, the ICO will expect an organization’s response to set out how is has considered the above points and that it has a realistic plan to achieve compliance. The ICO guidance is quite clear: doing nothing is not an option.
The ICO will be issuing separate guidance on how it intends to enforce the new rules. For further information visit the ICO’s website.
Data Breach Notification
The update to the e-Privacy Directive (2002/58/EC) also introduces a new data breach notification requirement. This applies to the providers of publicly available electronic communication services (i.e. telecoms companies and ISPs). In the event of a “personal data breach” the communications service provider must notify the relevant data protection authority “without undue delay” The provider is also required to notify the relevant subscribers or individuals where the breach is likely to adversely affect the personal data or privacy of subscribers or individuals.
The new rules also require providers to maintain an inventory of personal data breaches (i.e. a data breach log) comprising the facts surrounding each breach, its effects and the remedial action taken. The national authorities in each EU member state can also audit individual providers as to whether or not they have complied with their obligations.
The new rules present a challenge
International and global business