 |
| Image by ssoosay |
Australian companies operating websites with UK (or other EU) users should also be mindful of these changes.
Background to the new cookie laws
The EU Privacy and Electronic Communications Directive (2002/58), known as the e-Privacy Directive, regulates data protection and privacy in relation to digital technologies and electronic communications sector. The Directive has, until now, required website operators to tell users how their sites use cookies and how users can 'opt out' of the use of cookies. Most websites commonly inform users of their cookies policy via the website privacy policy or terms and conditions. The policy generally explains whether the website uses cookies, for what purposes, how users can de-activate cookies and what this could mean for their website experience. Users can opt out of (stop) receiving cookies by de-activating them via their browser settings. By
informing users that the website will use cookies, the continued use by the user of the website implies their consent to the use of cookies.
The UK Privacy and Electronic Communications Regulations 2003 implemented the e-Privacy Directive. However, as a result of amendments to the e-Privacy Directive (by Directive 2009/136) to include the new requirements for informed user consent to the use of cookies, Member States are required to implement the amendments in local law. The UK has done this by way of amendments to the Regulations.
What are the new cookie laws?
Under the amended Regulations a cookie can be placed on a user's computer only where the user has given consent, unless the cookie is strictly necessary for the operation of the website.
'Strictly necessary' exception
The UK Information Commissioner's Office's (ICO's) Guidance on the amendments to the Regulations states that the 'strictly necessary' exception will be interpreted narrowly and will apply only where the cookie's application is limited to a small range of activities and where the use of the cookie relates to a service requested by the user.
The Guidance suggests, for example, that the 'strictly necessary' exception will apply where a cookie is used to ensure that where a user has chosen goods for purchase and then clicks the 'add to basket' (or similar) button, the site remembers what the user chose for purchase on the previous pages. According to the Guidance the exception will not, however, apply where an operator decides that its website will be more attractive if it remembers users' preferences or where cookies are used to collect statistical information about use of the website.
User consent
If the 'strictly necessary' exception does not apply, a website operator may be able to obtain the necessary user consent. The ICO advises website operators not to rely on a user's browser settings for consent to cookie use because most browser settings are not yet sufficiently sophisticated to indicate the required consent and, in any event, not all users may visit the site via a browser.
Therefore website operators must consider appropriate methods for obtaining express consent to their continued use of cookies. This will depend on the nature of website and what it offers, how it interacts with its users and the impact on the usability of the site. Options might be:
- using pop-ups - though this could adversely affect the user experience
- amending the website terms and conditions - but consider how and whether users' attention can be drawn to the website terms and conditions or privacy policy so that a new cookies policy can be read and understood before users proceed to use the website
- using settings-led or feature-led consent.
Further details about consent options are set out in the Guidance.
Non-EU websites
It is not clear whether websites hosted outside the EU, such as in Australia, but which target and interact with users who are residents of an EU country, may be subject to the laws of that country which implement the Directive's new cookie rules.
However, it would be open to data protection regulators and courts in that EU country to require the websites to conform to the new rules. Neither the UK Regulations 2003 nor the amended Regulations say whether a website operator outside the UK must comply. The ICO's latest press release on the amended Regulations refers to them as applying to UK businesses and organisations running websites in the UK.
Next steps for website operators
The ICO recognises that website operators have had little time to comply with the new laws.
While the ICO expects there to be a period of non-compliance following the implementation of the amended Regulations, it expects website owners to have considered the Guidance and to have a realistic plan to achieve compliance with the new laws.
The ICO will be issuing separate guidance on how it intends to enforce the revised Regulations. In the meantime, the Guidance advises website operators to take a number of steps. These are explained below (with some additional suggestions), effectively amounting to a 'cookie audit':
- identify the cookies currently used by their website and the purpose of those cookies - consider if any are unnecessary or obsolete and can be removed
- determine whether any of the cookies fall within the 'strictly necessary' exception from the user consent requirement
- decide whether there are particular cookies which collect personal information and are more privacy sensitive - the more intrusive the cookie the more likely you will need express consent or you will need to consider changing how you use it
- be aware of third party cookies which your website may allow
- decide on a method for obtaining the necessary user consent for the remaining cookies
As the Directive is implemented in the various EU countries, the national privacy regulators will no doubt provide further guidance on how compliance can be achieved, as well as how the amendments to the e-Privacy Directive will be enforced and complaints about cookies dealt with. For example, as explained above, the UK Government's view is that there should be a 'phase-in' approach to the implementation of the changes required (and, to this end, the ICO has announced that website operators will have a year's grace in which to comply with the amended regulations).
New technologies are also likely to be developed that will allow users to opt-in to use of cookies in a way that has minimum impact on their website experience. And the industry may also develop its own measures for self-regulation.
Partner: Michael Whalley
0 comments:
Post a Comment