[26047]
April 17, 2012
TO: COMPLIANCE MEMBERS No. 4-12INTERNATIONAL MEMBERS No. 13-12
PRIVACY ISSUES WORKING GROUP No. 1-12
SMALL FUNDS MEMBERS No. 11-12
TECHNOLOGY COMMITTEE No. 6-12 RE: EUROPEAN DIRECTIVE ON OBTAINING CONSENT FOR USE OF COOKIES
Entities based in the United Kingdom that have websites may be interested in a new UK requirement governing websites’ use of cookies. In particular, the Privacy and Electronic Communications Regulations 2003 (“EC Directive”) govern the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment such as a computer or mobile device. In 2009, the EC Directive was amended to require websites to obtain consent from users or subscribers in order for the website to store a cookie on their device. To implement the amendments, the UK introduced new regulations, [1]which are essentially designed to protect the privacy of internet users. They came into force on May 26, 2011 with a lead in period of twelve months to put into place the measures needed to comply. The UK’s Information Commissioner’s Office issued guidance on the new requirements, which is summarized below. [2]
The Guidance explains that the Regulations apply to both session cookies (which expire after a browser session) and persistent cookies (which are stored on a user’s device in between browser sessions). The Regulations require user or subscriber consent, which the Guidance defines as some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email, or subscribing to a service. There is an exception from the requirement to provide information and obtain consent where the use of the cookie is “for the sole purpose of carrying out the transmission of a communication over an electronic communication network; or where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.” [3] The Guidance explains that legislators intended this exception to be narrow, covering such cookies as those used to ensure that when a user has chosen goods to purchase and proceeds to check out, the site “remembers” what they chose on a previous page.
The Guidance states that an organization based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. The Guidance suggests that, in complying with the Regulations, organizations should: (i) check what type of cookies are used and how they are used; (ii) assess how intrusive the use of cookies is; (iii) and choose the best solution to obtain consent in their circumstances.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”) can be accessed at http://www.legislation.gov.uk/uksi/2011/1208/pdfs/uksi_20111208_en.pdf.
[2] Information Commissioner’s Office, Guidance on the rules on use of cookies and similar technologies (December 13, 2011)(“Guidance”).
[3] Guidance at pp. 8-9.