On 25 May 2011, EU Member States will have to implement changes to the Directive on Privacy and Electronic Communications (commonly known as the E-Privacy Directive). One change in particular will require businesses to obtain consent from users of their websites to leave cookies or text files on those users’ computers.
The UK Department for Culture, Media and Sport, which oversees policy for all information and communications technology matters, has said that work on regulations to implement the directive is ‘ongoing’, but may not be complete by the 25 May deadline. This will leave UK businesses uncertain about the specific obligations they will need to comply with – a picture that is likely to be reflected across many other EU States.
In the interests of clearing up some of the confusion, here is a look at the directive’s background and immediate future.
Questions over privacy
The E-privacy Directive came into force in July 2002 to protect individuals’ personal data and privacy in their electronic communications. As part of this protection, the directive sets out how personal data may be collected and used and how internet users should be informed about this. In particular, it relates to the use of ‘cookies’: small files that are placed on users’ computer hardware by website owners during website visits. Cookies are deployed to collect information about individuals’ usage of any websites they access, and relay that information to the sites’ controllers.
Users may adjust their internet settings to prevent cookies from being placed on their computers. However, the default setting on most browsers allows cookies to be placed without prior permission.
In the past, businesses have been able to comply with their data-protection obligations by providing privacy policies on their websites that set out how cookie data will be collected and processed. Businesses may then place cookies on computers and handle the information they gather in accordance with those policies. This technology has proved very useful to a number of businesses that collect information not just for marketing purposes, but in order to improve users’ experience of their sites.
However, the new amendment to be implemented on 25 May changes the ‘informed opt-out’ in relation to cookies to a ‘prior-informed opt-in’. Cookies may now be placed on computers only if their users have given consent – having been provided with appropriate information about how the resulting information will be handled, and what purposes it will be put to. Clearly, this is likely to have a major impact on the way in which businesses run their websites.
Although many EU Member States are yet to release formal regulations enacting the E-Privacy Directive, initial guidance has been provided by governments and other professional bodies as to how stakeholders should prepare for the impending changes. In the UK, for example, the government has suggested that it intends to implement the exact wording of the E-privacy Directive (although, unfortunately, this does not set out in great detail how to effectively comply with the new obligations).
However, the government has pledged that it intends to reject the establishment of any opt-in system for cookies that would require users to consent to every cookie that could be placed on their machines. Instead, it has suggested that browser owners should take significant steps to ensure that the options for browser settings are made more visible to users, such as by providing clear and concise information about how users can opt out of cookies if they so wish.
This jars with the EU Working Party’s Opinion on the strict opt-in standards for cookie use that it argues should be implemented. The Working Party has noted that, in order to assist compliance with the directive, browser owners would have to provide a default setting that rejects cookies. This would prompt users to change the settings manually to accept them. While the Working Party’s Opinion is not binding on Member States, it is likely that it would be taken into account if the UK implementation of the E-Privacy Directive were reviewed by the European Commission.
But this will provide scant comfort to businesses that are busily engaged with using cookies – particularly as the information commissioner, Christopher Graham, has told businesses recently that they need to ‘wake up’ to their obligations under the directive. With this in mind – along with the likelihood that the ICO will impose hefty fines eventually – it would be advisable for businesses to implement changes sooner rather than later.
In addition, we must not forget that these changes will affect businesses that are not in EU Member States. Any business – wherever it is located – that places cookies on users’ computers in the course of its EU activities would likely be subject to the obligations under the directive. It is still to be decided, though, how and where those obligations will be enforced.
To avoid exposure to legal action, all businesses using cookies need to carefully consider the methods they use to obtain computer users’ consent. They should also keep a keen eye out for any further guidance provided by the ICO and the UK government, among others, to try to limit their liability as they muddle through these uncertain times.
Chris Saunders is a solicitor at Mundays Solicitors LLP