Don’t be a cookie monster

Changes to the Privacy and Electronic Communications Regulations (PECR) in respect to consent for cookies have placed considerable compliance obligations on businesses.

When initial guidance was issued by the Department for Culture, Media and Sports in 2011, it was ­suggested that business must help ­itself to manage compliance. The ­International Chamber of Commerce (ICC) in the UK has led the process to help businesses comply.

The cookies guide aims to help both website operators and users come to terms with the so-called cookies law by placing them into four categories based on their functions. It is hoped that this will help website operators categorise the cookies they use and assist them in preparing ­suitable methods of obtaining informed consent, as well as aiding communication with website visitors by ­offering them standard notice ­language explaining, in simple terms, what cookies are and how they are used.

While all EU member states should have implemented Article 5 (3) of the E-Privacy Directive 2009 by 26 May 2011, it is well-known that the vast majority have not. The UK was one of the few member states to implement the law on time, although the Information Commissioner’s Office took the practical step of granting a 12-month moratorium, which runs out on 26 May 2012, to enable businesses to comply.

Information commissioner Chris-topher Graham, in commending the advice of the ICC, also added: “We’re seeing lots of good work, but until it all ends up on websites there’s a risk that bluster, scare tactics and burying of heads will win the day […] From May [2012] we’ll shift our ­attention to those who do not comply nor attempt to comply.”

The UK implemented the E-Privacy Directive 2009 by amendments to the PECR as follows:

Section 6 (1) subject to paragraph 4 (4): a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user ­unless the requirements of paragraph (2) are met.

Section 6 (2): the requirements are that the subscriber or user of the ­terminal equipment is (a) provided with clear and comprehensive ­information about the purposes of the storage of , or access to, that ­information, and (b) is given the ­opportunity to refuse the storage or access to that information unless they have given their consent.

Section 6 also includes an almost identical use of the directive’s browser exemption.

The effect of the above is that a website operator must have a clear and transparent notice available to users about what technologies are used to store information or gain access to information stored, and have a mechanism such that consent can be meaningfully obtained.

Nothing here indicates either an opt-in or opt-out and the ICC makes it clear that, equally, nothing indicates that consent must be “prior consent”.

That being said, the issue for ­website operators is that currently any information about cookies is usually minimal and often not ­transparent and is definitely not on an explicit consent basis, but generally by implication - if at all. Time is running out to get compliant.