On 26th May 2011, the amended Privacy and Electronic Communications Regulations came into force, covering all aspects of electronic marketing.
Overview
The change in regulations was driven by a European Directive (E-Privacy Directive 2002/58/EC) from Brussels and was drafted specifically to address the requirements of new digital technologies. The directive compliments the Data Protection Directive (Directive 95/46/EC) which was in turn designed to protect the privacy and protection of all personal data collected in the EU.
Core to the directive is the “right to privacy in the electronic communication sector”, all providers of services are obliged to erase or anonymise data when no longer needed. Data maybe retained in cases where consent has been gained from the user for marketing and value added services – but in all cases the user must be informed of why and how long the data will be processed.
Most of the requirements laid out in the directive will have minimal impact due to the fact that a number of the requirements are already enshrined in UK law. An example of this is SPAM (or unsolicited emails, SMS etc…) – Article 13 prohibits the use of email addresses for marketing purposes unless the user has explicitly agreed or provided consent (opted in). This is a practise that is now common place in all electronic transactions and processes, to gain “opt in” consent as opposed to the previous assumption that the user must “opt out”.
So what impact will the amendment have?
An immediate fundamental impact of the amendment is the requirement specifying the use of cookies on websites. Under the amended directive all websites are now required to obtain specific consent from the user browsing before any non essential cookies can be downloaded. Previously the rules required websites to only provide information on how to “opt out” only with most organisations complying by updating their online privacy policy\notice.
The only exceptions to this rule are cookies that are “strictly necessary” to the functioning of the website, an example could be an ecommerce site that relies on cookies to allow transactions to take place by recording items in a basket. Notice that the example says “could” and not “would”, the guidelines issued by the ICO do specify that exceptions need “to be interpreted quite narrowly” to ensure that the use of cookies are based on services “explicitly requested” by the user. So downloading a cookie for recording a basket and browser history (when the user has not explicitly attempted to add any items) may be construed as non essential to the browsing experience and should only be downloaded at the point the user adds an item.
What this means is that any website (using cookies) MUST obtain consent from the user before downloading or setting any cookies. Not a big deal you may think but nearly all websites use cookies to some extent – you have four choices:
- Ignore the directive carry on as usual.
- Change my website so it doesn’t use any cookies.
- Modify my privacy policy and add any necessary functionality to obtain consent from the user.
- Ensure that all my cookies are essential and can prove it beyond any doubt.
The requirement to obtain consent has sent shockwaves through the web, with many claiming that it would be too intrusive and to the detriment of the user experience. That there would be substantial negative impact to online businesses if the regulations were not watered down – whether or not this will be the case only time will tell (but I think not).
Such is the impact that discussion have already started with the organisations that provide the main stream browsers – Internet Explorer (Microsoft), Firefox (Mozilla), Chrome (Google), Safari (Apple) and Opera (Opera) to name a few – to provide a standard way that browser could provide the necessary functionality. Will this happen? Probably, but not anytime soon.
Obviously option 1 is a none starter due to risk (as you will see below), option 2 and 4 are possible but may require your whole site to be rewritten (and could be expensive). The choice of least resistance and potentially least cost would seem to be option 3.
The Information Commissioner’s Office (ICO) has given us 12 months grace, so I have 12 months before I need to worry right?
The new regulations will be enforced via the use of new powers for the Information Commissioner’s Office (ICO) to serve monetary penalties (of up to £500,000) and to investigate any instances where the law may have been broken.
The European directive will be enforced over the next 12 months (all organisations must be compliant by May 2012), organisations MUST be aware of the potential impact\risk to their business. This is not to say that the ICO will not be enforcing the rule or that it condones organisations taking no action until that date – on the contrary, if necessary the ICO will issue warnings to organisations that do not appear to be making adequate preparations. So ignore the changes at your peril!
So what should I do?
Organisations should now be investigating ways to actively gain consent for the use of cookies from users. A good starting point would be to view the link “A summary of the new rules and what they mean for individuals” provided by the ICO. But be aware that the ICO guidelines only provide you with a technical framework and suggestive action, do not mistake it as the sole solution to the requirements.
This is not an exhaustive exposition of the directive and its effects but a high level overview of the immediate impacts and the potential risks to businesses who have not considered the ramifications of the amendments.
For more information, please refer to:
A summary of the new rules and what they mean for individuals
The ICO’s new powers and their approach to enforcing the regulations
The ICO’s advice to organisations about how to prepare for the new rules on cookies
The changes to the ICO website in response to the new rules on cookies
Pingback: 2012: Armageddon – Cookies and Compliance with ePrivacy Directive | threesixty