Privacy & Information Security Law Blog

On December 13, 2011, the Information Commissioner issued updated guidance on compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”)). Organizations were given a twelve-month grace period to comply with the new law. Initial guidance on the Regulations was released on May 9, 2011, but the Information Commissioner characterized that guidance as merely a “starting point for getting compliant rather than a definitive guide,” signaling that further advice would follow if appropriate. The release of the updated guidance coincides with the Information Commissioner’s interim report on organizations’ attempts to achieve compliance in which he concluded that organizations “must try harder” with their cookie compliance efforts.

The revised law mandates prior opt-in consent for cookies. A central theme of the updated guidance is that consent requires understanding, but research indicates that current levels of user understanding regarding cookies generally is low. The Information Commissioner envisages website operators playing a role in raising awareness of cookies and educating users. Until users have a better understanding of cookies, organizations likely will be required to provide detailed information and clear, explicit consent mechanisms.

The revised guidance includes the following requirements regarding consent:

1. Except in limited circumstances, consent must be obtained prior to placing cookies on visitors’ computers. The Information Commissioner recognizes that some websites set cookies as soon as a user accesses the site but, wherever possible, consent should be obtained before cookies are set.
2. It is unlikely that organizations can rely on implied consent, particularly while user understanding of cookies is so limited.
3. Consent can be obtained across multiple related sites, provided it is clear to which sites the consent applies.
4. Consent does not need to be obtained for each individual cookie, but can be obtained for a class of cookies performing the same set of functions. Consent only needs to be obtained once, unless the purpose of the cookie changes significantly.
5. The only exception to the requirement for consent is where the cookie is “strictly necessary.” The guidance emphasizes that this exemption is extremely narrow and, in particular, would not apply to cookies used for analytical purposes (despite their privacy impact being fairly low).
6. Organizations should provide information about, and mechanisms for, withdrawing consent.

The updated guidance also provides the following clarifications:

1. The Regulations apply to both persistent and session cookies. Session cookies (which expire after a browser session ends) are generally less privacy intrusive, and organizations are encouraged to utilize them instead of persistent cookies (which are stored on a device between browser sessions), or to shorten the lifespan of persistent cookies. As an alternative to cookies, the guidance also suggests using other technical solutions, such as device fingerprinting.
2. The Regulations are unlikely to apply to intranets, as they seldom use a public electronic communications service. Organizations still should consider the wider privacy implications of collecting and processing personal data on an intranet.
3. Responsibility for complying with the Regulations primarily lies with whoever sets the cookies. However, where a third party sets the cookies, both the third party and the website operator are responsible. In many cases the website operator may be better placed to obtain user consent from a practical perspective. Third parties setting cookies might consider the use of contractual clauses to ensure that website operators obtain the required consents.

Although the additional guidance reiterates the twelve-month lead in period, it makes clear that organizations must take steps to ensure full compliance by May 26, 2012. Any organization that is not fully compliant by that deadline may be expected to provide a specific explanation for its non-compliance, and a clear plan (including timeframe) for achieving compliance.