On 26th May 2011, the amended Privacy and Electronic Communications Regulations came into force, covering all aspects of electronic marketing.
The change in regulations was driven by a European Directive (E-Privacy Directive 2002/58/EC) from Brussels and was drafted specifically to address the requirements of new digital technologies. The directive compliments the Data Protection Directive (Directive 95/46/EC) which was in turn designed to protect the privacy and protection of all personal data collected in the EU.
Core to the directive is the “right to privacy in the electronic communication sector”, all providers of services are obliged to erase or anonymise data when no longer needed. Data maybe retained in cases where consent has been gained from the user for marketing and value added services – but in all cases the user must be informed of why and how long the data will be processed.
Most of the requirements laid out in the directive will have minimal impact due to the fact that a number of the requirements are already enshrined in UK law. An example of this is SPAM (or unsolicited emails, SMS etc…) – Article 13 prohibits the use of email addresses for marketing purposes unless the user has explicitly agreed or provided consent (opted in). This is a practise that is now common place in all electronic transactions and processes, to gain “opt in” consent as opposed to the previous assumption that the user must “opt out”.
So what impact will the amendment have?
- Ignore the directive carry on as usual.
- Change my website so it doesn’t use any cookies.
- Ensure that all my cookies are essential and can prove it beyond any doubt.
The requirement to obtain consent has sent shockwaves through the web, with many claiming that it would be too intrusive and to the detriment of the user experience. That there would be substantial negative impact to online businesses if the regulations were not watered down – whether or not this will be the case only time will tell (but I think not).
Such is the impact that discussion have already started with the organisations that provide the main stream browsers – Internet Explorer (Microsoft), Firefox (Mozilla), Chrome (Google), Safari (Apple) and Opera (Opera) to name a few – to provide a standard way that browser could provide the necessary functionality. Will this happen? Probably, but not anytime soon.
Obviously option 1 is a none starter due to risk (as you will see below), option 2 and 4 are possible but may require your whole site to be rewritten (and could be expensive). The choice of least resistance and potentially least cost would seem to be option 3.
The Information Commissioner’s Office (ICO) has given us 12 months grace, so I have 12 months before I need to worry right?
The new regulations will be enforced via the use of new powers for the Information Commissioner’s Office (ICO) to serve monetary penalties (of up to £500,000) and to investigate any instances where the law may have been broken.
The European directive will be enforced over the next 12 months (all organisations must be compliant by May 2012), organisations MUST be aware of the potential impact\risk to their business. This is not to say that the ICO will not be enforcing the rule or that it condones organisations taking no action until that date – on the contrary, if necessary the ICO will issue warnings to organisations that do not appear to be making adequate preparations. So ignore the changes at your peril!
So what should I do?
This is not an exhaustive exposition of the directive and its effects but a high level overview of the immediate impacts and the potential risks to businesses who have not considered the ramifications of the amendments.
For more information, please refer to:
A summary of the new rules and what they mean for individuals
The ICO’s new powers and their approach to enforcing the regulations
The ICO’s advice to organisations about how to prepare for the new rules on cookies
The changes to the ICO website in response to the new rules on cookies