The UK government has revised the Privacy and Electronic Communications Regulations, which come into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.
One common technique of storing information is widely known as a cookie. This is a small file that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of businesses and organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering a user’s payment details when buying products online.
As the independent arbiter of information rights, the Information Commissioner has been charged with regulating the new rules for websites aimed at UK consumers.
The ICO has today published guidance on its approach to enforcing the new rules – as well as guidance on other new powers coming into force as part of the revised Regulations.
This includes:
• Guidance on how the ICO will enforce the new rules on cookies
• Information for consumers on what the new rules will mean for them and how to complain to us
• Information on what the ICO itself is doing to comply with the new rules in respect of its own website;
Speaking at the Incorporated Society of British Advertisers’ briefing on cookies, privacy and consumers, Information Commissioner, Christopher Graham, said: “I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups - and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account.
“Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet. In the meantime, although there isn’t a formal transitional period in the Regulations, the government has said they don’t expect the ICO to enforce this new rule straight away. So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.
“As the regulator, I’m conscious that my own website will be looked at for a model of how to comply. We’ve decided to place a header bar on our website giving users information about the cookies we use and choices about how to manage them. I am not saying that other websites should necessarily do the same. Every website is different and prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers. The initial advice that we issued earlier this month will continue to be supplemented with real-life examples as they come in.”
Commenting on the ICO’s approach, Stephen Robertson, Director General of the British Retail Consortium (BRC), said: “Retailers recognise the challenge of legislating in the changing online environment – which is why the BRC has worked closely with the ICO to help ensure a balanced approach to regulation that helps UK business maintain its position as world leader in e-commerce while also providing clarity on important consumer rights.
“The retail sector supports the advice produced, especially the suggested approach that allows a 'lead in' period for businesses. We'll continue to maintain close engagement with the ICO to support policy development that is clear, consistent and supportive of businesses and consumers shopping online.”
On the other new powers granted to the ICO as part of the Regulations, Christopher Graham, added: “Let’s not forget that the revised Regulations grant the ICO other significant new powers. Along with the power to impose financial penalties on telecoms and internet companies who fail to notify us about their data breaches, we will also have stronger powers to investigate the businesses behind nuisance marketing calls and spam texts. Tackling the businesses that make money from this is a challenge, but these new powers will give us access to more of the information we need to do the job.”
Background information
1. Guidance on how the ICO will enforce the new rules on cookies is available on the ICO website here.
3. Information on what the ICO itself is doing to comply with the new rules is available here.
4. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
5. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
6. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection
