Legal updates from FridayLegal
What are the new laws?
The predecessor to the Regulations, the Privacy and Electronic Communications Regulations 2003 required users to be:
(a) Provided with clear and comprehensive information about the purposes of the storage of and access to the information stored in the terminal equipment of a user; and
(b) Given the opportunity to refuse the storage of or access to that information.
The Regulations amend the second requirement (b) above so that, as well as being fully informed as to the use and application of cookies, the user must now give their consent.
This amendment effectively shifts the onus from the user having to actively opt out of storage of or access to information, onto the person or entity operating the website – you must ensure that you obtain the express consent of the user before setting cookies.
This need for consent can only serve to strengthen the first requirement that the user is well-informed - a user of your site would need to understand the nature and application of the cookies in order to give meaningful consent to their use.
There are two very narrow exceptions to the above rules. The first arises where a cookie is used for the sole purpose of transmitting an electronic communication over an electronic communications network.
The second exception is where the use of the cookie(s) is question is ‘strictly necessary’ in the provision of a service which has been specifically requested by the user. For example, a user may decide to purchase some items from your website; a cookie required to enable the user to add an item to their virtual basket, or proceed to checkout would likely come under this exception.
How can I ensure my website is compliant?
To ensure that your business website does not operate in contravention of the rules on cookies, the Information Commissioner’s Office (ICO) advises that you
• Identify which cookies your website uses and what they are used for. You could use this as an opportunity to identify which (if any) of your cookies fall under the exceptions above, and to spring- clean your website to remove redundant cookies.
• Consider the nature of the cookies you use. The ICO suggests that whilst the Regulations make no distinction between different types of cookie, the level of intrusion effected by your cookies can be a good indicator of how you might need to adjust or amend the nature of the cookies you use to protect the privacy of your users.
• Think about the best method for gaining consent The more intrusive the activity undertaken by a particular cookie, the more you will need to do to ensure that you obtain meaningful, well-informed consent from your users.
The Regulations do not require you to obtain renewed consent from users on their subsequent visits provided that the two requirements are fulfilled on their initial use.
The Regulations suggest that consent may be obtained should a user determine their own preferences in relation to cookies by adjusting their browsers settings – if the website can identify that a user’s browsers settings permit a certain type of cookie, this may provide the necessary consent. At present however, most browser settings are not refined enough for you to assume that consent is given to set your website’s cookies.
It is not clear from the Regulations precisely who is responsible for obtaining consents. If your website uses third party cookies, it is in both parties’ interest to ensure compliance with these rules. The ICO suggest that it is not particularly crucial who obtains consent, so long as such consent is properly obtained.
If you are in the business of developing websites, you should ensure that any site you develop does not prevent your client from complying with the rules.
Penalties for non-compliance include enforcement and information notices as well as fines of up to £500,000.
If you would like any further guidance on ensuring your business complies with all relevant laws, please contact Friday Legal’s dedicated Intellectual Property Law team for advice on 01536 218888.