Recent U.K. legislation, known as the “Cookie Law” has forced the issue of business needs vs. online consumer privacy rights into the limelight.
Members of the British Parliament homologated The U.K. Privacy and Electronic Communication Regulations Act (PECR) on May 26, 2011. It requires all U.K. businesses — and sites that do business in the U.K. — to:
- Notify users of tracking and data-collecting cookies; and
PECR applies to apps developed for mobile devices as well as traditional online websites.
The move to institute this U.K-specific legislation was prompted by a similar E.U. directive that requires website administrators and e-commerce sites to monitor and maintain control over the types of cookies present on their sites, especially those that can be used to track the browsing activities of users.
Online Privacy UK Cookie Law: What re Cookies?
Cookies are small packets of data used to track online behavior. They’re how sites can remember you or provide behavioral-based recommendations. Session cookies last only for the duration of one visit to the website; persistent cookies are stored indefinitely to allow for easier navigation and a more personalized experience for the end user.
Cookies are primarily used to enhance the user’s experience by storing certain identifying information in order to streamline browsing. In some cases, however, tracking cookies are used to obtain detailed information on the user’s browsing habits, creating a significant threat to online privacy. These tracking cookies can be used to tailor advertising or monitor the user’s online activities for less savory purposes.
What is the U.K. Privacy and Electronic Communication Regulations Act?
The E.U. e-Privacy rules were already applicable to U.K. businesses and slated to go into effect in 2011; but a lack of public awareness delayed compliance. As a result, the new privacy protection legislation offered an extension to allow e-commerce companies, government agencies and website administrators the time needed to implement these new cookie restrictions and regulations. This extension expired and the new rules went into effect on May 26, 2012.
Online Privacy UK Cookie Law: Requirements of PECR
Companies and agencies that maintain an online presence are required to control the cookies present on their site. They’re also responsible for protecting consumers against unauthorized tracking of web activities. Cookies necessary to the e-commerce or online business payment process are exempted from the law; this includes cookies that allow items in an online shopping cart to be transferred to the payment page and cookies used to verify identity when processing those payments.
In other cases, companies are required to present users with a choice to accept or deny cookies from a site. Users who opt out of website cookies on a particular site can change their decision later. Additionally, many Internet service providers already offer users the choice to opt out of all cookies, to accept only cookies from certain sites or to allow all cookies from all sites.
Online Privacy UK Cookie Law: Other Forms of Online Tracking
Another critical element in the U.K. Cookie Law Act is the requirement that all forms of user tracking and tagging be monitored and maintained by website managers. The language of the legislation specifically targets non-essential tracking and non-essential cookies; however, these terms aren’t fully defined in the bill. In general, it’s likely that e-commerce related cookies and tracking will be exempt from PECR requirements. All other tracking and tagging of users without informed consent may create a liability for the offending website and company.
Online Privacy UK Cookie Law: A state of disarray
Despite the May 26 deadline, it is estimated that the majority of U.K. businesses, government entities and public sector agencies have failed to implement measures to meet these new requirements. According to official statements made by a spokesperson for the Cabinet Office, the majority of government websites have not yet achieved compliance with the new PECR Act regulations. In part, this high degree of non-compliance may be due to a failure to adequately publicize and explain the new requirements. No penalties are likely to be assessed at the current time according to the Information Commissioner’s Office (ICO), the government body responsible for enforcement of PECR legislation.
Online Privacy UK Cookie Law: Mixed messages
The ICO stated it’s unlikely to penalize companies that show progress toward meeting the requirements of PECR within a reasonable time frame, but the agency has not yet defined what level of progress is necessary to avoid penalties. In addition, recent changes in the ICO guidance regarding this legislation seem to indicate that implied consent will also be allowed as a method for meeting these requirements. Implied consent would be considered to exist if users continued to use the website after the May 26, 2012 deadline. This would essentially shift the burden of compliance from the website administrators to the end user.
Online Privacy UK Cookie Law: Will This Law Even Make A Difference?
PECR is likely to have a significant impact on advertising-dependent websites. However, recent adjustments to the U.K. guidance on compliance appear to weaken the consumer protection aspects significantly. These changes may actually allow businesses to assert compliance without making any changes to their existing sites at all, allowing the status quo to continue despite both the E.U. Directive and the provisions of PECR legislation.