The United Kingdom's new laws for cookies and e-commerce will be enforced from 26 May 2012.
These laws were announced in April 2011 after a consultation in which Duane Morris participated. The consultation was triggered by a European Union Directive (the E-Privacy Directive (2009/136/EC)) introduced at the end of 2009. The E-Privacy Directive required each country in Europe to establish their own laws to meet the basic requirements of the Directive. The UK brought in new legislation—the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011—in May 2011 to do that. The new cookie laws in the UK apply to all data collected electronically, not just personal data. Personal data is also covered by separate data-protection laws across Europe, which are also in the process of revision as we reported in an earlier Duane Morris Alert.
In our earlier Alert, we covered some of the history behind the new laws. The UK Information Commissioner's Office (ICO) responded to a lack of clarity in the original legislation by announcing a one-year period of grace during which time it expected that it would not enforce the new laws. That grace period expires next month. The UK law applies not only to cookies but also to similar technologies for storing information. This could include flash cookies, web beacons or web bugs (also known as clear gifs). It will apply to cookies that expire at the end of a user's online session (known as session cookies) and those that are stored for longer (sometimes called persistent cookies).
Information to be provided
Cookies or similar devices should not be used, unless the user:
- (a) is provided with clear and comprehensive information about what the cookies are doing and what is being stored; and
- (b) has given his or her consent.
UK law does not detail the sort of information that should be provided, but the ICO feels that it should be "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so." A limited exception to the need to provide this information is where use of the cookie is strictly necessary to provide a service required by the user. This exception is likely to be narrowly interpreted, and the ICO feels it will be limited to cookies that are essential, rather than reasonably necessary.
The Guidance also maintains that the ICO would like compliance to stretch beyond organizations based in the UK, saying "Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided." Whether the ICO would try to assert jurisdiction over a U.S. website using cookies with European visitors (like the Spanish regulator has attempted to do) remains to be seen.
The rest of Europe
Each of the 27 countries in the EU were also due to implement their local laws by 25 May 2011 to meet their obligations under the Directive. Some have fared better than others, and interpretation of the Directive has varied across Europe. It is hard to foresee how rigorously these laws will be applied. Cookies have traditionally been one of the areas in which there is little harmony in Europe, and while hope remains that more countries will take the ICO's reasonable and balanced stance, that is by no means certain.
It should also be noted that existing powers also exist in consumer legislation to deal with unfair trade practices. These laws have been enforced more in the last few months, with the recent UK investigation into Groupon being just one instance. In the UK, the Consumer Protection from Unfair Trading Regulations 2008 gives the duty to regulators to act when a consumer is deceived about the presence of cookies, even when the information they have been given is correct. The penalties under the existing UK legislation include fines or a prison term of up to two years.
The debate over the use of tracking tools on websites has been developing for some time. Many website operators simply do not know how many cookies are on their sites. It can be challenging to meet the obligation to be transparent without that basic knowledge. Businesses may want to check their sites to determine where they are using cookies and what those cookies are doing. They also may want to stop using unnecessary cookies, especially those sending data to third parties. Businesses may then develop ways of informing visitors to their sites what is happening to their data and getting consent to those practices. Given that the law is still in a state of uncertainty, transparency should be the guiding principle of any business in its online activities.
If you have any questions about this Alert, please contact Jonathan P. Armstrong in our London office, any of the members of the Information Technologies and Telecom Practice Group or the attorney in the firm with whom you are regularly in contact.
This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.
Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.