In the run up to today’s deadline for EEA Member States to implement the EU’s revised Privacy and Electronic Communications Directive, including its new rules requiring consent to the use of cookies, the UK Department of Culture, Media and Sport (the DCMS) and the UK’s privacy regulator, the ICO, have released further guidance for businesses, both on the requirements of the new rules and how they are expected to be enforced.

In terms of the UK’s revised Privacy and Electronic Communications Regulations themselves and options for compliance, the DCMS, in its open letter of 24 May 2011, made clear that, whilst default current browser settings will not be sufficient to show valid consent to the use of cookies, the new rules are flexible enough to accommodate a variety of industry lead technological solutions for compliance, including enhanced browser settings (which are expected to be released later this year).  The DCMS statement also clarifies that consent need not be prior consent, and that there are no constraints in the revised rules on when consent may be given.  A factor on which the DCMS does focus however is the informed nature of the consent: users should be provided with all relevant information about the use of cookies to collect their personal data, in a transparent and simple way.  Provided all appropriate information is communicated to the user, e.g. via enhanced browser settings, or industry monitored cookies information sites, browsers settings (though not current default browser settings) may be a valid method of obtaining user consent.

The ICO’s recent enforcement guidelines and press release, of 25 May 2011, continue the DCMS’s themes of flexibility in options for compliance, and also reinforced the ICO’s previous messages that these new rules, whilst they may be slow to come fully into operation and enforcement, cannot be ignored.  The ICO’s statements confirm that its current risk based, proportionate enforcement approach will continue to be applied for the revised regulations, and make clear that a 12 moth lead in period will be applied (ending in May 2012) during which the ICO will refrain from using its enforcement powers in order to allow businesses to work on their compliance plans.  Whilst it was generally expected that such a lead in period would be applied, given the virtual impossibility of complying with the new regulations immediately, this statement from the ICO sets a useful time frame for businesses to start getting their technical functionality in line.

The ICO has opted for a very clear and visible compliance solution, as you would expect from a regulator, by including a banner notification at the top of each page of its site, informing site visitors of how it uses cookies and where to find more information, and providing the option to block all cookies from the site. The banner function includes an opt in tick box to consent to the cookies (as the ICO uses Google analytics cookies, which are not essential to the functioning of the site, it is seeking user consent) – when this box is ticked and the user continues through the site, the cookies settings are fixed (unless altered via the browser) so the banner disappears (and does not re-appear on subsequent site visits through that same browser).  The ICO makes clear in its guidance that its solution is just one example of how a site can provide cookies information to users and obtain consent, rather than a suggested or ideal solution.

New Picture.png

The key message from this raft of recent guidance is that, for the next 12 months, online businesses do not need to worry about investigations and enforcement for breaches of the new cookies rule, but should at this stage be taking steps to analyse their own use of cookies and to think about how they may integrate enhanced browser settings and other industry developed technologies when these become available later this year.  It is still very much ‘watch this space’ in terms of what the technical solutions for compliance will look like in practice, and whether the ICO’s current pragmatic approach to enforcement will be employed in reality for the new cookies rules.   

Note: For additional information on the implementation of these rules, see our prior post on the topic.