WHY?
The 2002 European Directive upon which the 2003 UK Privacy and
Electronic Communications Regulations were based has been revised by a
2009 EU Directive. This required the UK to implement such revisions in
to its own law which it introduced on 25 May 2011 through The Privacy
and Electronic Communications (EC Directive) (Amendment) Regulations
2011 (the “Regs”). The UK Information Commissioner’s Office (ICO)
announced a one-year grace period thereby delaying enforcement of the
Regs which expired on 26 May of 2012.
The Regs are designed to protect the privacy of information (whether
the information is personally identifiable or not) and personal data
which is stored or made accessible in a user’s device. The aim of the
law is to prevent information being stored on devices and used to
recognise the user of that device without the owner’s knowledge and
consent.
HOW?
Both the older 2003 regulations and the Regs require websites to
provide visitors with clear and comprehensive information about how and
why cookies are being used on a website. However, with regards to the
second requirement, the 2003 regulations required websites to give users
the ability to ‘opt-out’ of cookies being stored on their devices,
whereas, the Regs now include a requirement to obtain consent for
cookies and similar technologies. This means that cookies can no longer
be stored on a user’s device unless the user specifically consents in
advance. See Article 3 of 3 for more on consent.
EXCEPTIONS TO THE RULE
There are exceptions to the rule, for example, unless a website
solely uses cookies that fall in to the “strictly necessary” category in
accordance with the 4 categories, based on the ICC UK cookie guide , a
website is legally bound to abide by the new requirements. For example,
using cookies to remember items in an online shopping basket for the
purposes of security in online banking or to help load web pages faster
is regarded as “strictly necessary” and therefore does not require
consent. All other common cookie usage falls in to the other three
categories which all require consent of Performance; Functionality; and,
Profile and Targeting). See Article 2 of 3 for further discussion on
“Cookie Categories”.
As is the case with any implementation of a new rule of law
enforcement that unveils a restrictive-type practice on a person’s free
will, the law has been regarded by some as controversial and frustrating
with practical and technological constraints being cited for the most
part. Others are confident that the UK law stands a good chance of
becoming easily accepted within the fabric of UK websites thereby
bringing about a degree of certainty. This could be said to be largely
due to the somewhat pragmatic and relaxed approach adopted by the ICO in
the UK. The problem may lie more with the lack of harmonisation
throughout other EU countries where a website is accessible, wherein
implementation of the new rules may not be as lenient. See the ICO
guidance on the new cookies regulations.
ICO BREACHES AND SANCTIONS
It is unclear how the ICO will treat breaches of the law and how
exactly it will go about enforcing compliance but it is likely that only
serious breaches will lead to hefty fines of up to £500,000. However,
it wouldn’t be unheard of for a regulatory authority to treat persistent
breaches in a similar way. The ICO does have the power to commit an
organisation to take steps towards compliance and to compel compliance
(failure to do so would be a criminal offence).
THE LAW CAN CATCH YOU ANYWAY!
Regardless of the implementation of the Regs, there are existing
powers in current legislation to deal with unfair trade practices under
the Consumer Protection from Unfair Trading Regulations 2008 (“CPUTRs”)
which is a set of UK regulations to protect consumers from unfair,
misleading or aggressive marketing practices. Being technology neutral,
they are not specific to the digital and online world, however, any
practice used online which is deemed unfair, misleading or aggressive
will fall foul of the CPUTRs which give the duty to regulators to act
when a consumer is deceived about the presence of cookies, even when the
information they have been given is correct. In theory, the Office of
Fair Trading (OFT) has the duty to enforce the CPUTRs and individuals
(not just businesses) who breach the law can be punished by up to two
years in prison or a hefty fine.
Hanne & Co can help you to respond immediately to the Regulations by:
(2) Providing you with suggested wording for a cookie warning message to be placed on your site as well as a Cookie Policy;
(3) Providing you with further advice as required by you.
Contact us on 020 7228 0017 or at info@hanne.co.uk and ask to speak to one of our Commercial Team
No comments:
Post a Comment