Out-Law News 2 min. read
28 May 2013, 4:38 pm
KPMG said it had reviewed the websites of 55 major UK organisations from across the private and public sectors and found that more than half (51%) were non-compliant with EU laws on cookies. Cookies are small text files that record internet users' online activity.
However, the accountancy firm said that the EU's Privacy and Electronic Communications (e-Privacy) Directive requires website operators to obtain users' "explicit consent, before cookies can be installed". Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that this was not necessarily the case.
"Nowhere in the e-Privacy Directive does it state that explicit consent to cookies is required," Wynn said. "Obtaining explicit consent, through tick-box solutions for example, is just one way that companies can demonstrate that they have a valid and meaningful consent from internet users."
In 2009, the e-Privacy Directive was changed to state that storing and accessing information on users' computers would only be lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".
Consent must be "freely given, specific and informed". An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – for example, to take the user of an online shop from a product page to a checkout.
The EU laws were implemented in the UK through amendments to the Privacy and Electronic Communications Regulations (PECR) in 2011 and the ICO was tasked with enforcing the new law and handed the power to fine those that failed to comply up to £500,000. The watchdog elected to place a year's hiatus on its enforcement of the new rules to give organisations more time to find a technical solution that suited them that also complied with the legal framework.
Wynn said that many organisations can rely on internet users' implied consent in order to legitimately serve them with cookies.
"Providing that businesses prominently display and make readily available clear and relevant information to users that explains which cookies are being used and for what purposes, and allow users to control that cookie use, for example by opting out of some or all of the cookies being used, those firms can say that they have obtained users' consent in line with the e-Privacy Directive," Wynn said. "This is the case even if users make no affirmative action to permit cookies to be served."
"This approach has been widely adopted and explains why website banners have become widely used. No longer can information about cookies be hidden away from users in firms' privacy policies or browser settings relied upon," she said
Wynn said that businesses that use cookies that are particularly privacy invasive do need to go further to obtain a valid and meaningful consent to use of those cookies. She said that could be one situation where organisations use opt-in tick box solutions to obtain users' explicit consent in order to provide certainty of compliance.
KPMG said that 43% of the 55 websites it analysed were relying on implied consent to serve cookies.
"By adopting this implicit approach, organisations are assuming individuals have previously consented to receiving cookies and this is hardly the spirit in which the legislation was introduced," Stephen Bonner, partner at KPMG, said.
Earlier this year the ICO announced that it had changed its own cookies consent solution away from requiring users' explicit consent. Instead it said that it would provide "clear, detailed information" about what cookies have been set and will also be given access to an "easy way to remove them" if they do not want them set on their machines or devices. The watchdog said its change in policy was "consistent" with guidance it has issued on obtaining implied consent to cookies.
