The UK law
The Privacy and Electronic Communications (Amendment) Regulations 2011 amended the original 2003 Regulations.
The relevant rules are found in amended Regulation 6, which reads as follows:
6. - (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment -
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
What does this mean?
The term "consent" is not defined in the UK Regulations or the Data Protection Act 1998. It is, however, defined in the Data Protection Directive of 1995, as "any freely given specific and informed indication of his wishes". This Directive was implemented in the UK by the Data Protection Act 1998.
The consent requirement has been the subject of much discussion since the publication of the EU Directive amending the cookies law. Various authorities, including the Article 29 Working Party (a coalition of data protection regulators from across the EU), the UK Government and the Information Commissioner's Office have voiced conflicting opinions on how the consent requirement will operate in practice. The authorities have differing views on whether consent should be obtained prior to the placing of cookies. It is difficult to see how anything other than prior consent will comply with the wording of the UK Regulations.
The Article 29 Working Party warned that consent cannot be implied from browser settings.
"Consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent," said the Working Party's spokesman. "Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user."
The Working Party did not go as far as to say that every website needs to ask every visitor to accept every cookie, though. Many cookies are used by advertising networks across multiple websites. For these cookies, consent can be given once to a network and cover all the websites that network serves, according to the Working Party.
Shortly before the publication of the PECD the Information Commissioner published guidance that offers advice on when and how the consent may be given.
The guidance continues:
"You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future".
The ICO will consider issuing more detailed advice if they deem it appropriate. They have stated in their guidance that this may include further examples of how to gain consent for particular types of cookies as methods develop.
How to comply with the UK's current law on cookies
- Include a link in your policy to www.aboutcookies.org so that your visitors can access instructions on deleting and controlling cookies.
The ICO guidance states that it is a starting point for businesses to achieve compliance, In the absence of definitive methods of compliance it is difficult say for certain what steps need to be taken to comply with the PECD. We suggest that businesses should at least:
- Audit how their sites operate and receive data from online partners and providers and what they receive to obtain a clear understanding of where cookies are used and for what purpose;
- Whenever a new site is developed or an existing one upgraded, or a website-related commercial relationship started, ensure that there are clear details about the operation of cookies and tracking to be used.
The ICO guidance suggests a number of different methods that can be used for obtaining user consent but encourages businesses to find the solution that works best for them.
- Pop ups or similar techniques asking for consent can be used. Pop ups are discouraged by Web Content Accessibility Guidelines. They may also spoil the experience of using a website. Users can also block pop ups by default, making this impractical;
- Preferences that users choose when visiting a website can also be used as a means of obtaining consent. Consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work, provided sufficient information about the use of the cookies is provided. This would apply to any feature where a user is told that a website can remember certain settings they have chosen;
- Website features, such as videos, that remember how users personalise their interaction can also determine user consent. In this case, where the user is taking some action to tell the webpage what they want to happen – opening a link, clicking a button or agreeing to the functionality being 'switched on' – then their consent to set a cookie can be asked at this point;
- Where a website allows a third party to set cookies the process of getting consent is more difficult. Initiatives that seek to ensure that users are given more and better information about the use of information, for example the use of the "i" symbol, referred to below, should be used. Anyone whose website uses or allows third party cookies must ensure that the right information is delivered to users so they can make informed choices.
In the absence of definitive methods a hybrid of the above methods is likely to be the way forward for the time being at least.