On 26 May 2011 the UK implemented an amendment to the EU's Privacy and Electronic Communications Directive under The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the "Regulations"). The Regulations are essentially designed to protect the privacy of internet users in the UK.

Although the Regulations are UK law and their application has not been extended to the Isle of Man, the Office of the Isle of Man's Data Protection Supervisor regards compliance with the Regulations as being best practice. In addition, as per guidance issued by the UK's Information Commissioner's Office (ICO), organisations based outside of the UK with websites designed for the UK market, or providing goods and/ or services to customers in the UK, should consider that their UK users will expect information and choices about cookies to be provided.

The ICO has the primary role in enforcing the Regulations and, although the Regulations came into force in May 2011, the ICO gave organisations a year's grace to implement the necessary changes before ICO enforcement begins. The grace period expires at the end of May 2012.

Amongst other changes, the Regulations altered the legal regime governing cookies and similar technologies for storing information. This article is concerned only with these changes and uses the term cookies to refer to cookies and similar technologies covered by the Regulations.

Cookies, a Definition

A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. In essence, cookies allow a website to recognise a user's machine.

The Regulations require UK businesses and organisations running web sites in the UK to obtain informed consent from visitors to their web sites to the use of cookies and similar technical means that can be used for tracking website and mobile app users. Subscribers and users must be provided with clear and comprehensive information. The relevant rules are found in the amended regulation 6 of the Regulations, which is broad in its application and applies to storage on any 'terminal equipment' (which includes mobile devices as well as computers).

Regulation 6 covers the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user.

The Regulations provide that a website operator must not store information or gain access to information stored in a user's computer (or other web-enabled device) unless the subscriber or user "is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information" and "has given his or her consent". Website operators must obtain consent by giving subscribers and users specific information about what they are agreeing to and providing them with a way to show their acceptance.

The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow subscribers and users to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so.

Informed Opt-in

The consent requirement under the Regulations replaces the previous position which provided that visitors should be given the option to refuse cookies. Under the Regulations, the system changed from one of "informed opt-out" to one of "informed optin". It is widely believed that the most challenging area in which to achieve compliance with the Regulations is where a website allows or uses third party cookies. Here, website operators will need to make subscribers and users aware of this and direct them to information on how the third parties might use cookies so that the subscribers and users are able to make informed decisions.

The term "consent" is not defined in the Regulations or in the Data Protection Act (the "DPA"). It is, however, defined in the Data Protection Directive of 1995 as "any freely given specific and informed indication of his wishes". This Directive was implemented in the Isle of Man by the DPA.

The consent requirement under the Regulations has been the subject of much discussion since the publication of the Regulations and it is difficult to see how anything other than prior consent would comply with the wording of the Regulations.

There is an exception to the requirement to provide information about cookies and to obtain consent where the use of the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or where such storage or access is 'strictly necessary' for the provision of an information society service requested by the subscriber or user. Except in these very limited circumstances, prior explicit consent will need to be given by a subscriber or user before using cookies.

The term 'strictly necessary' means that such storage of, or access to, information should be essential, rather than reasonably necessary, for this exemption to apply. A narrow definition applies to this term.

Obtaining Consent

The ICO has published useful guidance on compliance with the Regulations, including examples of different ways that consent to the use of cookies can be obtained. The ICO advises organisations to check what types of cookies they are using, assess how intrusive their use of cookies is and decide what solution(s) to obtain consent will be best in the circumstances. Where the use of a cookie type device involves the processing of personal data, website operators will also need to ensure they comply with the additional requirements of the DPA.

Enforcement

There are two ways that a subscriber's or user's rights under the Regulations may be enforced: 1) by the ICO; and 2) by a claim for damages brought by an individual who has suffered damages as a result of a breach of the Regulations.

The changes under the Regulations include the introduction of new powers for the ICO to enforce the requirements of the Regulations. The main change is that the ICO will now have the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the Regulations. It is anticipated that this power will only be used in limited circumstances. However, with the ICO's increased powers, the result of enforcement action is now potentially more severe.

The changes also include the introduction of new powers for the ICO to serve an information notice on certain third parties who hold information that is relevant to the ICO's investigation into a likely breach of the Regulations.

As originally appeared in Money Media - May 2012.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.