• Guidance Published on New European "Cookie Law"
  • May 23, 2011
  • Law Firm: SNR Denton - Chicago Office
  • The new rules on use of website cookies and similar technologies for storing information on a user's computer or mobile device come into force on 26 May 2011. These rules are contained in the changes to the e-Privacy Directive (2002/58/EC), which also introduces a new data breach notification requirement for telecoms companies and ISPs.

    • New Law on Cookies
    • New Guidance Published
    • Immediate Action Require
    • Data Breach Notification
    • The new rules present a challenge
    • International and global business

    New Law on Cookies

    A cookie is a small file that can be downloaded to a PC or mobile device when the user accesses certain websites. A cookie allows the website to "recognize" the user's device. Cookies are used to enable websites to deliver a more customized and user-friendly experience.

    The current EU rules say that a person must not use an electronic communications network to store information, or gain access to information stored, in the terminal equipment of the subscriber or user unless the subscriber or user is provided with clear and comprehensive information about the way in which the cookies are used. Usually, this explanatory information is contained in the website privacy policy, which also explains how the subscriber or user can delete or refuse cookies. The current rule applies to all storage of or access to “information” (not merely personal data).

    The new rules are contained in Article 5(3) of the e-Privacy Directive, which will be implemented, in the UK, by an amended regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR). The new rules add an additional requirement in that you must obtain the consent of the relevant subscriber or user in order to store, or gain access to, information in the terminal equipment of the subscriber or user.

    There is a limited exemption from the new consent rule in relation to the technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary in order for the provider of an information society service (i.e. an online/e-commerce service) explicitly requested by the subscriber or user to provide the service.

    New Guidance Published

    One of the key issues with the new rules on cookies is how and whether website operators can collect individual consents for the use of cookies without impacting the user experience. For example, introducing a “pop-up box” to ask for consent prior to allowing the user to view a website could have a substantially detrimental impact on user experience. However, the Article 29 Working Party (the independent European advisory body on data protection) published guidance last year saying that browser settings (potentially a much more pragmatic way to obtain user consent) are unlikely to work, except in very limited circumstances. This is undoubtedly the correct legal analysis based on the Data Protection Directive (94/6/EC), which requires consent to be a freely given, specific and informed indication of the individual's wishes. There has been much debate in the past six months as to how website operators can obtain user consent in both a pragmatic and a legally compliant manner.

    Last week, the UK data protection regulator (the Information Commissioner's Office (ICO)) published guidance on the new rules on cookies and, in particular, as to how to obtain consent in a pragmatic way. Unfortunately (but perhaps not surprisingly) the ICO takes the view that you cannot rely on browser settings to deliver consent for the use of cookies. This may change in the future as there are various industry initiatives to work with the browser manufacturers to embed privacy preferences within individual browsers. Suppose, for example, that a user is asked to state their privacy preferences (and whether they wish to allow cookies) when they first use the browser and, perhaps, at regular intervals thereafter. We believe this would create the required consent without impacting user experience. In the absence of such a solution, the ICO guidance discusses use of pop-ups, terms and conditions and other practical steps that can be taken to obtain consent. The guidance also highlights the particular difficulties where websites allow third parties to set cookies on a user's device. This can be a particularly challenging area for websites that display content from third parties, and impacts directly on online behavioral advertising and advertising networks.

    Immediate Action Required

    In practice, the new rules on cookies will apply to all website operators who use cookies or similar technologies. The exceptions are very narrow. While the new rules can be implemented by websites to the extent that users log in/sign on to receive a service, the issue is much more challenging where websites use cookies in relation to subscribers or users who simply visit the website in the normal way.

    The ICO advises you to take the following steps now:

    1. Check what type of cookies and other similar technologies you use and how often you use them.
    2. Assess how intrusive your use of cookies is. 
    3. Decide what solution to obtain consent will be best in your circumstances.

    It is important for businesses to address the above questions. If the ICO receives a complaint about a website, the ICO will expect an organization’s response to set out how is has considered the above points and that it has a realistic plan to achieve compliance. The ICO guidance is quite clear: doing nothing is not an option.

    The ICO will be issuing separate guidance on how it intends to enforce the new rules. For further information visit the ICO’s website.

    Data Breach Notification

    The update to the e-Privacy Directive (2002/58/EC) also introduces a new data breach notification requirement. This applies to the providers of publicly available electronic communication services (i.e. telecoms companies and ISPs). In the event of a “personal data breach” the communications service provider must notify the relevant data protection authority “without undue delay” The provider is also required to notify the relevant subscribers or individuals where the breach is likely to adversely affect the personal data or privacy of subscribers or individuals.

    The new rules also require providers to maintain an inventory of personal data breaches (i.e. a data breach log) comprising the facts surrounding each breach, its effects and the remedial action taken. The national authorities in each EU member state can also audit individual providers as to whether or not they have complied with their obligations.

    The new rules present a challenge

    The new rules on cookies present a challenge for all businesses that operate websites, serve or use banner adverts, run advertising networks or provide online/e-commerce services. How do they obtain consent without damaging user experience? The ICO guidance is a helpful summary of the new rules and provides a view on some of the practical and technical steps that businesses can use to obtain consent for the use of cookies. It is now clear that you cannot simply ignore the new rules. Positive steps must be taken to ensure compliance. The practical steps required will depend on the way in which your website operates and the nature of services/information provided.

    International and global business

    The new rules also present challenges for international and global businesses. Implementation of these rules will be undertaken in each of the 27 member states of the European Union so it is quite conceivable that the detailed requirements will vary from one member state to another. In addition, the EU “consent-based” solution is the reverse of the industry-led approach in, for example, the United States, where users are provided with information and an opportunity to opt out of the use of cookies. The challenge for international business, therefore, is whether to implement a European-specific solution for European users or apply the “European model” to other jurisdictions in the interests of consistency.