May 292012

EU Website Cookie Consent Requirements Now Being Enforced

Sidley Data Matters Contributors
, , , ,

The deadline of 26 May 2012 for businesses to comply with new EU website cookie consent requirements in the UK has now passed. Under the EU’s amended e-Privacy Directive 2002/58/EC new rules were introduced last year for businesses to obtain the consent of website users to place cookies on a user’s computer. Although EU Member States were required to implement the consent requirements by 25 May 2011, the UK’s Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period to become compliant with the new law which ended on 26 May 2012. Many other EU Member States have still to implement the cookie consent requirements with only 20 of the 27 Member States having so far implemented the requirements into their national laws.1

The new EU cookie consent requirements contain an exception where the website is using a cookie “that is strictly necessary” to provide the service explicitly requested by the user. The ICO considers this exception should be narrowly interpreted and cannot, for example, be used to exclude cookies used for analytical purposes, such as counting the number of visits to a website, from the new consent requirements. Failure to comply with the EU cookie consent requirements can lead to enforcement action including fines from national data protection authorities.

UK Guidance

The cookie consent requirements under the amended ePrivacy Directive were implemented in the UK through “The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (the “UK Regulations”). The ICO has published helpful guidance on implementing the UK Regulations entitled “Guidance on the rules on use of cookies and similar technologies” (the “UK Guidance”).

Regarding the scope of the UK Regulations, the UK Guidance states that websites based outside of the EU, designed for the European market or providing products or services to customers in the EU, should consider that their users in the UK and the EU will clearly expect that information about cookies will be provided to them and their consent to set cookies obtained.

Providing clear and comprehensive information to the user

In addition to obtaining consent, the requirements under the ePrivacy Directive include that the user is provided with “clear and comprehensive information” about the purposes for which the information, such as that collected through cookies, is used.

The ICO suggests that wherever possible, the placing of cookies on a user’s terminal equipment should be delayed until the user has had the opportunity to understand what the cookies are being used for and so they can make their choice to accept the cookies or not. However, the ICO acknowledges that obtaining prior consent might be difficult as many websites set cookies as soon as a user accesses a website. The ICO therefore states that at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with the option to accept the use of cookies.

Responsibility for compliance

Although the UK Regulations do not define who should be responsible for complying with the new requirements, the ICO clearly states in the UK Guidance that “where a person operates an online service and any use of cookies will be for their purposes, it is clear that that person will be responsible for complying with this Regulation”. The ICO also makes it clear that where third party cookies are used through a website, the person operating the website and the third party should be responsible for complying with the UK Regulations. However, the ICO acknowledges that it could be challenging in practice for third parties to comply, and therefore proposes that a third party using cookies on a website should consider putting a contractual obligation into agreements with the website provider “to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.”

Potential solutions to gain the consent of the user:

The UK Guidance refers to a number of potential solutions to obtain consent for use of cookies including:

Use of pop ups and similar techniques, such as header or footer bar on the home page – while using a pop up to directly ask a user if they agree to the use of cookies will amount to consent if they click yes, as the ICO acknowledges this could spoil the user experience if the website uses several cookies. Moreover, the ICO comments that some users might not click on the options available and go straight to another part of the website. In these circumstances it may be possible to infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site.

Terms and conditions – when users open an online account or sign in to use the services, they could consent through terms and conditions to the use of cookies. The ICO specifies that changing the terms of use alone to include consent for cookies is not sufficient even if the user had previously consented to the global terms. To satisfy the new rules on cookies, the website operator must make users aware of the changes and specifically that the changes refer to the use of cookies. The website operators will then need to gain a positive indication that users understand and agree to the changes. The positive indication is commonly obtained by asking users to tick a box.

Settings-led consent – some cookies are set up when a user confirms what he/she wants to do or how he/she wants the site to work, for example, when selecting a feature such as the language of the website. The website should, during that process, explain to the user that by allowing the website to remember the user and the way he/she wants to use the website, the user gives the website consent to use cookies.

Feature-led consent – some information is stored in the user’s computer when the user decides to use a particular feature of a website such a watching a video or when the website remembers what the user did on a previous visit in order to personalise the content of the website. In these cases the website can ask for the consent to set a cookie at this point.

Browser settings – the view of the ICO is that most browser settings are not currently sophisticated enough to allow a website provider to assume that the user has given his consent. The UK Guidance confirms that the ICO and the UK Government are currently working with the major browser manufacturers to establish a new browser solution.

Steps to take now

Many businesses have been considering the best ways to obtain consent to the use of cookies for some time. For those businesses that have not yet implemented a cookie consent solution for their websites it is important that they do so now, particularly as the UK deadline has now passed. According to the UK Guidance the first steps should be:

Cookie Audit – businesses should check what cookies they are using on their websites, confirm the purposes, what data each cookie holds and the type of cookie (i.e. session or persistent and first or third party cookie). This could involve carrying out a comprehensive audit of the websites. The cookies used should also be analysed to determine which, if any, are “strictly necessary” and therefore might not need consent.

Cookie Assessment of Intrusiveness – the more intrusive a cookie the more priority should be given to getting meaningful consent. Some analytical cookies may have a limited privacy impact while cookies involved in creating detailed profiles of an individual’s browsing activity can have a significant privacy impact. An assessment of the intrusiveness of the cookies used should also be undertaken.

Cookie Consent Solution – in addition to deciding on the most appropriate of the cookie consent options, which are referred to above, it is also necessary to consider the information on cookies that should be provided to users. According to the ICO, for most users it may be helpful to provide a broad explanation of the way cookies operate and the categories of cookies that are used on the website.

If you have any questions regarding this update, please contact:

John Casanova, Partner
jcasanova@sidley.com
+44 20 7360 3739

William Long, Counsel
wlong@sidley.com
+44 20 7360 2061

1 Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Malta, Slovakia, Spain, Sweden The Netherlands and the UK.

 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.   

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.