The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 come into force on 26 May 2011. The Regulations set out new rules on the use and placing of, and access to, information including “cookies” on a user’s equipment such as a computer or mobile phone device.
The Information Commissioner’s Office (ICO) has published guidance setting out what steps website providers will need to take to ensure compliance with the Regulations.
The main provisions in the Regulations are as follows:
- Providers must provide clear and comprehensive information on the storage and use of data including cookies on users’ devices.
- Users must opt in to allow providers to store cookies on their devices.
- The only exception is if the cookie is “strictly necessary” for a service requested by a user. The ICO guidance gives the example of a user of a website choosing goods they wish to buy and clicking the “add to basket” button on the site. Here, the website will remember the goods the user chose on the previous page and consent from the user will not be required.
The ICO guidance suggests that providers carry out the following steps:
- Check what cookies are currently used and how they are used. This may involve a full audit of a provider’s website or a review of what data is placed on users’ devices.
- Decide how best to obtain users’ consent for example, pop-ups, terms and conditions or scrolling and highlighted text in headers or footers.
The ICO intends to issue further guidance on how it will enforce the Regulations. The ICO guidance can be found here.