Time to review cookie use

18/07/11

The changed cookie regime

A recent change in the Privacy and Electronic Communications Regulations Directive will affect practically all businesses who run a website in the EU and could have a significant impact on website Terms and Conditions and methods of use.

The most significant change is that from May 2011 prior consent from users will be required before a company is permitted to utilise cookies to use or harvest information from users.

The previous regulations provided for very clear information and notifications on websites about the use of cookies and rights to opt out where the user did not wish to consent to the use of cookies on the website.

However, the continued and extensive multiplication of cookie use on websites, including those by third party advertisers, has led to this change. The EU is concerned about the gathering and subsequent use of information obtained by cookies about EU citizens on a website when accessed by users or when they provide personal information. As a consequence, the information that will need to be provided if cookies are used on a website has been considerably enhanced.

The new rules

These changes apply to storage or gaining access to information stored, in the device of a subscriber or user. From May 2011 specific and informed consent to the use of cookies by the user will be required.

However, many EU Countries including the UK have not yet implemented the changes into national law. It is likely that this process could take a further year - but these changes will be implemented.

Reliance on implied consent covering cookie use on the website will no longer, it seems, be sufficient. It is also unlikely that Terms and Conditions that are drafted to rely solely upon implied consent will fall foul of the new regulations. The practice of obtaining what has been called "opt in consent" from the user will now have significant potential problems for owners of websites.

Although guidance has been provided by the Information Commissioners Office for the UK, which is a useful starting point, it is clear that putting it into practice for businesses will be problematic.

The Information Commissioners Office has the power to fine anyone in serious breach of these regulations up to £500,000 (approx $825,000).

If your clients are multinationals, even if they are headquartered in foreign jurisdictions, with websites that gather information from EU citizens, they should comply with these changes. This may mean that multiple websites will require separate opt in or opt out permissions in different jurisdictions.

Need for action

Anyone gathering information via cookies, by any means, from websites that are accessed in the EU should be aware of these changes and ensure that they are acting in accordance with these new guidelines.

We therefore suggest that anyone operating a website that gathers information from EU citizens considers whether they employ "pop-ups" or whether cookies are dealt with in the terms and conditions on the website.

A review of terms and conditions; advice on how to continue to use cookies on a website and advice on how consent can be obtained in the most pragmatic way, should be obtained.

If you would like any further information or would like to discuss the implications of the recent EU directive and how we can assist you, please do not hesitate to contact Ian Dawes.