Cookie-Cutter: UK Announces New Rules for Website Cookies

The United Kingdom Information Commissioner’s Office (ICO), which oversees compliance with privacy laws, announced this week new rules (updated link here) governing the use of website “cookies” that will come into effect on May 26, 2011, possibly following an as-yet unidentified grace period. The new rules will effectively require opt-in consent to use most kinds of cookies, and they will be particularly difficult to manage in the context of third-party cookies such as those employed by advertisers and advertising networks. Since the new British rules are meant to implement amendments to the European Union’s ePrivacy Directive, this is an issue that will have to be addressed across Europe and is likely to impact any website aimed at a European market.

Cookies Everywhere

“Cookies,” small text files that a website automatically places on a visitor’s computer when the website is loaded, are ubiquitous on the Web. Session cookies track a user’s activity from page to page during a session, so that the user does not have to re-enter information or selections. Authentication cookies store logon credentials so that the user does not have to log on again after navigating to another website. Persistent cookies store user preferences for each successive visit to the website.

Tracking cookies may be used to collect analytic data on how an individual website is used, and some kinds of tracking cookies record the user’s activity across websites – which is more controversial from a privacy perspective. For example, “conversion tracking cookies” allow an advertiser to determine whether a user who clicks on a third-party advertising link ends up making an online purchase from the advertiser. Some behavioral marketing programs use cookies to collect information about the pages and sites visited by a consumer so that a profile can be constructed for targeted marketing purposes. Google Analytics uses cookies to create statistical reports for advertisers and website operators, without identifying the individual users other than by IP address.

The ePrivacy Directive

The European Union’s Privacy and Electronic Communications Directive (the “ePrivacy Directive”) essentially required transparency concerning cookies. Website visitors were to be informed about the website operator’s practices and available options to refuse or delete cookies. This has been the standard for website operators and advertisers since 2002.

In November 2009, the ePrivacy Directive was modified by amendments that included a revised Article 5(3) emphasizing the need for informed consent:

Member States shall ensure that the storing of or access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC [the EU Data Protection Directive], inter alia about the purposes of the processing.

There is an exception for storage or access that is “strictly necessary” to provide an explicitly requested service.

The UK Response

Member States were required to transpose the amendments into national law in 18 months. This explains the timing for the revision of Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 (“PERC”), which will require after May 25 that the user “has given his or her consent” to storing or accessing information on the user’s equipment.

ICO’s announcement (updated link here) this week concerning the rule change raises as many questions as it answers, and the announcement itself states that ICO will issue separate guidance on how it intends to enforce PERC with respect to cookies.

Key Issues

  • ICO expects that the more intrusive cookies (such as those that create profiles of users, especially across multiple websites) will require more explanation and well-documented consent. Conversion tracking and behavioral marketing uses of cookies are clearly in the crosshairs.
  • The recitals to the amended ePrivacy Directive discuss the possibility of relying on the user’s browser settings to accept or reject cookies. ICO rejects this as a current solution, however, given the variety of browsers and settings in use, their unfamiliarity to many users, and the increasing use of mobile devices to access websites.
  • ICO mentions several other possible ways of informing users about cookies and obtaining consent, such as highlighted or scrolling headers, footers, or splash screens; disclosures on pages requesting personal information or offering particular downloads such as videos; website terms and conditions or pop-ups that require a user to click “I agree” before proceeding; website “settings” that could be selected by a user once and then remembered (presumably using a cookie) for subsequent visits.
  • ICO frankly acknowledges that third-party cookies may present the most challenging compliance issues and simply concludes that “everyone has a part to play in making sure that the user is aware of what is being collected and by whom.” An ICO spokesperson mentioned the possibility of establishing advertising network policies and procedures that could be viewed (and consented to?) by clicking on an icon displayed with banner ads and other advertising links.
  • ICO says the exception for “strictly necessary” cookies will be interpreted narrowly. It gives one potential example: cookies used to keep track of a user’s purchases in a “shopping basket” until the user is ready to “check out” and pay for the purchases. ICO advises that it would not be acceptable to use cookies without consent simply to make the presentation of the website more attractive or collect statistics about the use of the website.

Implications for Website Operators

  • Websites hosted in Europe are clearly subject to the new rules as they are implemented in each country this year. Data protection authorities and courts in some European countries may also assert that websites hosted elsewhere but targeting European residents should conform to the new cookie rules. When a company offers a UK or EU version of a website, for example, it may be required (or at least expected by users) to follow the EU rules.
  • The trend toward requiring fuller disclosure and explicit consent, especially for behavioral tracking, is likely to be seen in the US as well, as suggested by the Federal Trade Commission’s December 2010 report on consumer privacy.
  • Website operators should stay abreast of official interpretations and enforcement policies, such as those promised by ICO, that may offer more detailed guidance on cookie notices and consent mechanisms.
  • It’s a good time to inventory your organization’s cookie practices, make sure they are fully disclosed in website privacy policies, and consider how to operationalize express consent requirements in Europe.  Watch how popular commercial websites in the UK adapt to the new rules.  (Right now, even the privacy policy on ICO's website would be inadequate!)
  • Contracts with third-party advertisers, advertising networks, providers of website and browsing statistics, and business partners involved in co-branded websites should clearly delineate who is responsible for providing cookie notices and obtaining (and preserving evidence of) consent where required.