* Update 30/05/2012 The ICO’s latest guidance is here and provides additional information around the issue of implied consent.

* Update 22/05/2012 Econsultancy post on  ‘EU cookie law: ICO to contact 50 UK websites about compliance’ is ‘ here and link to their guide to compliance is here.  The Direct Marketing Association and Interent Advertising Bureau’s how to guide on email and cookie legislation  is here.

In principle the regulations are right but how practical are they?  Remember back to when 3D Secure came about, originally this was seen as an inhibitor to online shopping but is now seen as a necessary evil. Although, by comparison, the cookies compliancy will have a much bigger impact.

On May 26^th 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force.  Under the new Regulations a subscriber or user has to give consent to the use of cookies, having been given clear and comprehensive information about the purpose of them.  Under the previous law, organisations only had to inform users how they used cookies and how the user could “opt out” if they objected to their use.   The aim of the Regulations is to increase transparency for consumers.

So what do you need to know?

Well, most importantly, the Regulations came into force on 26^th May 2011 – so there are only 7 months left to work towards compliance before risking a fine – this is the law now…. (Fines are possible up to £500,000).

Why are the rules changing?

The European Directive on which the Regulations are based has been revised. UK law has to change to implement that changed Directive.

What are the rules?

There are many, but the ones that stand out say that cookies can only be placed on machines where the user or subscriber has given their explicit consent and is provided clear and comprehensive information about the storage of, or access to, that information.  It is important to note that changing the terms of use alone to include consent for cookies would not be good enough.  To satisfy the new rules on cookies, you have to make users aware of the changes and specifically that the changes refer to your use of cookies.  You then need to gain a positive indication that users understand and agree to the changes.

Not all cookies are included in this legislation, and it’s unclear what cookies are excluded. Basically, only essential cookies such as eCommerce shopping baskets are allowed – provided they dont store personal data.

The original rule was set out in Regulations 6 of the Privacy and Electronic Communications Regulation 2003 (PECR), more here.

The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent.

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment–

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

More here

So who’s compliant?

Well, it seems that few have acted on the new rules as yet.  The BBC have taken some steps listing the cookies they use on the site, the purpose of the cookies and telling you how to reject or delete cookies  see here.

For a bit of amusement, David Naylor gives his spin on what the new Cookie policy could mean for you here.

What to do now? 

Our suggestion is to start thinking about it now and implement incrementally, with small changes:

• Audit your site and highlight the most “intrusive” cookies
• Plan how to gain consent: browsers, pop-ups, T&C’s, etc
• Consider Third Party cookies (e.g. from an advertising network or a streaming video service)
• Consider devices (website, phone, in store kiosk)
• 8 months before action (fines up to £500,000)

It’s not all doom and gloom

Looking at the positives that will come out of this, it offers a great opportunity for you  to talk to your customers and for you to come up with some innovative marketing campaigns to encourage customers to understand and accept your cookies.

Useful Links

The Information Commissioner’s Office (ICO), the UK’s information watchdog, will publish a report before Christmas on progress UK organisations have made to comply with the new cookie rules.

Learn more about cookies

ICO (Information Commissioner’s Office) Privacy and Electronic Communications Regulations

The Privacy and Electronic Communisations (EC Directive) (Amendment) Regulations 2011

Note: This blog does not constitute legal or other professional advice and should not be relied on as such.  Specific advice should be sought about your individual circumstances.