Cookie-replacement tracking technology would be subject to same 'cookie law' rules, says ICO

Out-Law News | 04 Nov 2013 | 2:17 pm | 2 min. read

Businesses that track internet users' behaviour in order to serve them with personalised content, such as adverts, using technology that will replace 'cookies' will still be subject to UK privacy laws, the Information Commissioner's Office (ICO) has said.

A number of major technology companies, such as Google and Apple, are reported to be in the process of developing new ways of tracking individuals' online activity amidst concerns about the limitations of, and attitudes towards, cookies, according to Mercury News. The companies have yet to disclose how the new tracking technologies would work.

The ICO told that it was aware of the developments and urged the companies involved to liaise with it to help ensure privacy rights are respected in how the new technologies operate.

The watchdog confirmed that businesses using the new technologies would be required to comply with UK data protection and privacy rules, even if the new technologies can facilitate tracking without storing or accessing data from individuals' computers or other devices.

“We are aware of these developments and can confirm that the use of any technology to track individuals online carries clear privacy concerns and would be required to comply with all relevant aspects of the Data Protection Act and the Privacy and Electronic Communications Regulations," an ICO spokesperson said. "For consent to be valid in the context of either piece of legislation companies must, first and foremost, be open and upfront with their consumers by explaining how their information is being used, as well as giving users a clear choice as to the options available to them."

"Failure to look after people’s information correctly not only leaves a company open to potential enforcement action by our office, but will significantly damage its reputation. After all, it is in a company’s best interests to remain on the right side of the law. As with any new technology, following a Privacy by Design approach from the outset can deliver real benefits to individuals and we will be happy to work with companies to help them achieve this," they added.

Cookies are small text files that store details of internet users' online activity. Website operators often use cookies to record user behaviour for the purpose of analytics or to deliver personalised content to those individuals, whilst advertisers also use cookies to deliver targeted ads based on users' prior interactions online.

EU rules require individuals to consent to the placing of cookies on their device by the website operators and advertisers in most circumstances.

The EU's Privacy and Electronic Communications (e-Privacy) Directive permits the storing and accessing of information on users' computers "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.

The meaning of 'consent' under the e-Privacy Directive is taken from how the term is defined under the EU's Data Protection Directive. Consent to personal data processing must therefore be "freely given, specific and informed". There is no requirement that individuals' consent is explicitly given under the current framework, other than where the data being processed is categorised as being sensitive.