Cookies, Consent, and Compliance in the UK

Cookies, Consent, and Compliance in the UK

The EU’s 2009 e-Privacy (“Cookie”) Directive is spreading across member states. To date, twenty out of twenty-seven member states have implemented some form of the cookie law. One of the countries currently grappling with cookie law is the UK with its Privacy and Electronic Communication Regulations (PECR), which were amended in 2011 and came into force on May 26 2012. The new cookie law, which combines the ‘consent principle’ from the Data Protection Directive (DPD) with the technical purview of the e-Privacy Directive, forces website operators to obtain “consent in order to store a cookie on a user or subscriber’s device.”

Previously, online actors in the UK were merely required to provide users and subscribers with the ability to opt-out of cookies, without having to provide much information about those cookies. Now, companies will have to provide clear and separate (from the existing privacy policy) information about cookies as well as solicit consent for their use. The new amendments have, however, led to debates about what constitutes “consent” and how to solicit it from online users.

Under PERC, online companies can rely on implied consent. This means that online companies are merely required to provide users with information about the cookies being used on the site, without requiring explicit action. Consent under PERC may diverge from the DPD, which seems to require that consent is communicated by the user, such as ticking a box. To be clear, continued use of a website after a user or subscriber is given information about the cookies used on that site can constitute implied consent. This is closer to an opt-out consent strategy.

Online companies in the UK have been working to implement their new cookie-consent strategies ahead of enforcement by the Information Commissioner’s office (ICO), which officially began this past weekend. While the responsibilities for online companies as set out in PERC have been criticized as being vague, the ICO and other actors have provided significant guidance on the matter. The ICO for example, has released its “Guidance on the Rules on the Use of Cookies and Similar Technologies,” which helps define “consent,” responsibilities that online companies now face, and “practical advice for those trying to comply.”

Despite the push to assist companies in implementing a cookie-consent strategy, many UK companies have found it difficult to contend with the new regulations. Difficulty stems from the legal subjectivity of PERC and technical obstacles, which include the large number of cookies used on most websites and the varying applications of each cookie (some of which are essential for website functionality).

The ICO, which has the ability to impose penalties as high as £500,000, has taken an openly lenient approach to enforcement because of the difficulties that UK companies are facing to ensure compliance. According to Dave Evans, group manager at the ICO, if a company can show that it has “taken some steps already” or that “they’ve got a realistic plan at the end of which they’ll be able to say they’ve achieved compliance” the ICO will not pursue monetary penalties.

It will be interesting to follow how UK companies work to comply with the new cookie law and develop their consent policies and cookie notices over the next few months.

 

-Julian Flamant

Leave a Reply


Privacy Calendar

Oct
30
Thu
9:00 am The Privacy Act @40: A Celebrati... @ Georgetown Law
The Privacy Act @40: A Celebrati... @ Georgetown Law
Oct 30 @ 9:00 am – 5:30 pm
The Privacy Act @40 A Celebration and Appraisal on the 40th Anniversary of the Privacy Act and the 1974 Amendments to the Freedom of Information Act October 30, 2014 Agenda 9 – 9:15 a.m. Welcome[...]
Nov
7
Fri
all-day George Washington Law Review 201... @ George Washington University Law School
George Washington Law Review 201... @ George Washington University Law School
Nov 7 – Nov 8 all-day
Save the date for the GW Law Review‘s Annual Symposium, The FTC at 100: Centennial Commemorations and Proposals for Progress, which will be held on Saturday, November 8, 2014, in Washington, DC. This year’s symposium, hosted in[...]
Nov
11
Tue
10:15 am You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
Nov 11 @ 10:15 am
EFF Staff Attorney Hanni Fakhoury will present twice at the Oregon Criminal Defense Lawyers Association’s Annual Sunny Climate Seminar. He will give a presentation on government location tracking issues and then participate in a panel[...]
Nov
12
Wed
all-day PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
Nov 12 all-day
The Privacy and Civil Liberties Oversight Board will conduct a public meeting with industry representatives, academics, technologists, government personnel, and members of the advocacy community, on the topic: “Defining Privacy.”   While the Board will[...]
Nov
20
Thu
all-day W3C Workshop on Privacy and User... @ Berlin, Germany
W3C Workshop on Privacy and User... @ Berlin, Germany
Nov 20 – Nov 21 all-day
The Workshop on User Centric App Controls intents to further the discussion among stakeholders of the mobile web platform, including researchers, developers and service providers. This workshop serves to investigate strategies toward better privacy protection[...]
Dec
2
Tue
all-day IAPP Practical Privacy Series 2014
IAPP Practical Privacy Series 2014
Dec 2 – Dec 3 all-day
Government and FTC and Consumer Privacy return to Washington, DC. For more information, click here.
Dec
11
Thu
9:00 am Progress of the EU Data Protecti...
Progress of the EU Data Protecti...
Dec 11 @ 9:00 am
The EU Member States have agreed to conclude the negotiations on the EU Data Protection draft Regulation in 2015. The process will have arrived at a critical point by the end of this year. The[...]

View Calendar