The UK Cookies Reform: will anyone be ready by 25 May?

The law on how to use cookies and similar technologies is about to change radically in the UK and in the rest of the EU.  By 25 May 2011, all member states will have to adopt the necessary measures to implement the new regime introduced by the revised EU Electronic Communications Framework in late 2009.

Cookies are small text files that are stored on users’ devices when visiting a web page. They are generally used to help users navigate better on the Internet and have an enhanced browsing experience. Cookies, for example, allow online retailers’ websites to store information on items that have been added to the basket, or send information to a webpage whenever the user visits the same site (e.g. for the purpose of remembering settings for personalised content). Cookies can also be used (and are used) for more intrusive objectives, for example by the advertising industry, to create profiles of users’ browsing habits (behavioural advertising). A useful website explaining how cookies work can be found here.

Currently, the use of cookies is regulated in the UK through a simple notice and opt-out approach. Article 6 of the UK Privacy and Electronic Communications Regulations 2003 (PECR) provides that:

“[…] a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless […] the subscriber or user of that terminal equipment (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) is given the opportunity to refuse the storage of or access to that information.”

In practice, all UK website operators currently do to comply with the PECR is to provide cookie information within their privacy policies indicating that users can refuse cookies through adjusting the settings of their browser accordingly.

This will not be sufficient anymore, as the new regime will require that, in order for operators to be able to validly store information on users’ equipment or retrieve that information, the user: (a) must be provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

The Information Commissioner’s Office (ICO), the authority competent to enforce data protection legislation in the UK, has recently published its first guidelines on the new regime. The good news is that the ICO agrees with the government’s view that businesses will face difficulties in adopting the new necessary policies and there should be a phased approach to the implementation of these changes. It is therefore expected that the ICO will exercise some degree of tolerance for a few months, as long as businesses show that they have a realistic plan to achieve full compliance in the near future.

In particular, the ICO guidelines advise companies to take the following steps immediately:

1. Internal Audit – companies should conduct a full due diligence to check what type of cookies and similar technologies they use and how they use them. This exercise should range from a comprehensive audit of websites to simply checking what data files are placed on users’ terminals and why and should also cover third party cookies (e.g. advertisement banners managed by third parties). The audit should also be a useful clean-up exercise to get rid of unnecessary cookies. To this respect, cookies that are “strictly necessary for the provision of an information society service requested by the subscriber or user” are exempted from the requirements. The exemption will likely be interpreted narrowly by the authorities to include only cookies such as the “add-to-basket” or “proceed-to-checkout” in an e-commerce environment.
2. Privacy Impact Assessment – companies should assess how intrusive their cookies are. Not all cookies will have an impact on users’ privacy and depending on their level of intrusiveness, appropriate actions will have to be put in place.
3. Action Plan – once companies know what they do and for what purpose, they must think about how to best obtain users’ consent. This will be the most difficult task as companies will have to trade carefully between adopting technical measures that may impact customer experience and full compliance with the new requirements. One thing the ICO has made clear is that relying on browser settings alone, will not be enough at this stage.

Further guidance is expected from the ICO in the near future, but companies are currently left with a fair amount of work to revisit all their current practices, in view of potential fines that in the UK have recently been increased to up to £500,000 for serious breaches.

Were these changes really necessary? Have the European institutions thought this through? Some considerations on this:

1. In 2010, the ICO has received 5,410 complaints regarding PECR, none of which related to the use of cookies.
2. In a world where Internet-related technology evolves at the fastest pace ever, the new regime is far from being technology-neutral. The legislation focuses instead on a ‘cookie-as-we-know-it’, i.e. a technology that physically stores information on users’ devices. How about information stored in the cloud? Will that fall under the new rules?
3. What impact will this have on users’ Internet experience?
4. What cost will businesses face to become fully compliant and avoid fines and PR disasters?
5. Where will this new regime sit within the comprehensive reform of the data protection directive currently underway?