The safe way to web shopping
Company | Partners | Press | Jobs | Consumers Login
We are happy to answer your questions

Reading tip: the implementation of the Cookies Directive in the UK

Published by Giulia Pohl on January 25, 2012

The deadline for implementing the EU’s “Cookies Directive” expired on 25 May. Germany has not yet implemented the Directive. On 26 May 2011, Great Britain issued the new Privacy and Electronic Communications Regulations. Those affected now have one year to adjust their websites in line with the new regulations.

How has the UK implemented the Cookies Directive?

So far only eight of the 27 Member States of the European Union have implemented the Cookies Directive, although the deadline for doing so expired on 25 May 2011. Those countries are Denmark, Estonia, Finland, France, Ireland, Malta, Sweden and Great Britain.

Implementation in Great Britain

In the magazine for data protection Zeitschrift für Datenschutz (ZD) 2012, 24, Andreas Thürauf published an interesting article entitled “Cookie Opt-in in Great Britain – the Future of Cookies? Overview of the Changes and Effects”.

The article concerns the implementation of Directive 2009/136/EC into British law, the solutions proposed by the Information Commissioner’s Officer (ICO) and the possible effects of the new law on behavioural advertising.

First, the author presents the British regulations that were applicable up to 26 May 2011: He mentions that up to 26 May 2011 in Great Britain, Article 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003) intended that the users of a website should be provided with clear and comprehensive information on the purpose, type and scope of the use of cookies and be given the opportunity to refuse the storage of cookies on their end device. In practice, that information was often contained in the website’s legal notice.

Article 6 of PECR 2003 was amended through the implementation of the Cookies Directive. Most of the wording of the Directive was adopted.

Consent to the placement of cookies

According to the Directive, in principle the user must give his/her consent to the use of cookies, unless they are strictly necessary in order for the provider of an information society service to supply the service explicitly requested by the subscriber or user.

The requirement to provide clear and comprehensive information from the existing regulations has been retained.

When is a cookie strictly necessary?

The Information Commissioner’s Officer (ICO) – the data protection officer in the UK, who is appointed by the crown and independent of the government, has proposed solutions for obtaining effective consent.

According to Thürauf, these solutions could also be of significance for the other Member States, as Great Britain would like to play a pioneering role in the issue of consenting to cookies.

The ICO cites “shopping basket cookies” as an example of cookies that do not require consent: The author states that the ICO gives as an example the use of a cookie in an online shop in which the customer marks products which he/she would like to add to the shopping basket. In this case, the consent-free cookie enables products which were marked on a previous page to also remain in the site’s “memory” and to still appear as selected if it is called up again.

He considers that cookies which are used so that the operator of the site knows that the user has not agreed to the placement of cookies are as such also exempt from the requirement to obtain consent.

The time when consent is given

Thürauf then considers the issue of the time when consent is given and presents the different opinions, for example that of the Department for Culture Media and Sport (DCMS) and the Article 29 data protection group.

However, the ICO has not yet stated a position regarding the time when consent is given.

Browser settings as consent?

In Germany there is frequent discussion as to whether certain browser settings for blocking cookies should be sufficient. The ICO in Great Britain takes a different position on this issue:

The author cites that because, according to the ICO, the browser settings cannot be deemed to constitute consent to the placement of cookies, or only in particular cases, the ICO provides a catalogue of measures for obtaining effective consent from the user.

He then presents several possible solutions.

  1. Obtaining consent by means of a pop-up
    According to the ICO, this possibility is the clearest, but not the most elegant.
  2.  Consent to the conditions of use
  3. Individual setting of the website
  4. Use of analytical cookies

Notification of the use of cookies is provided in the headline or footer of the website and users must give their consent there. The ICO uses this solution itself on its website and considers it to be a model example.

Conclusion

In the conclusion of his article, Thürauf argues that the conception of the ICO is as yet the most far-reaching initiative of the European Union for solving the problem of the cookie opt-in.

He also believes that the advice on the implementation of the obligation to obtain consent provided by the ICO is suitable to be transferred to other Member States. However, it is necessary to wait and see how the other states implement the Directive.

Finally he quotes that if one follows the opinion of the British legislator, the implementation and permissibility of consent by means of browser settings depend on the technical development of the browsers.



«
»
References: