The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 come into force on 26 May 2011. The Regulations set out new rules on the use and placing of, and access to, information including “cookies” on a user’s equipment such as a computer or mobile phone device.
The Information Commissioner’s Office (ICO) has published guidance setting out what steps website providers will need to take to ensure compliance with the Regulations.
Currently, providers must inform users of devices how they use cookies and how users can opt out if they object to the use of cookies. The Regulations will change the law so that users must now opt in for the use of cookies on their devices to be lawful.
The main provisions in the Regulations are as follows:
- Providers must provide clear and comprehensive information on the storage and use of data including cookies on users’ devices.
- Users must opt in to allow providers to store cookies on their devices.
- The only exception is if the cookie is “strictly necessary” for a service requested by a user. The ICO guidance gives the example of a user of a website choosing goods they wish to buy and clicking the “add to basket” button on the site. Here, the website will remember the goods the user chose on the previous page and consent from the user will not be required.
The ICO guidance suggests that providers carry out the following steps:
- Check what cookies are currently used and how they are used. This may involve a full audit of a provider’s website or a review of what data is placed on users’ devices.
- Check how intrusive the use of cookies is on users’ privacy. The more intrusive, the more extensive the changes to the use of data needed.
- Decide how best to obtain users’ consent for example, pop-ups, terms and conditions or scrolling and highlighted text in headers or footers.
The ICO intends to issue further guidance on how it will enforce the Regulations. The ICO guidance can be found here.