Out-Law News 2 min. read
26 May 2011, 10:28 am
The new law requires website operators to make sure they have "informed consent" for the use of cookies. Business groups and privacy watchdogs are divided, though, on exactly what this means.
The new Regulations implement changes made in 2009 to the European Union's ePrivacy Directive .
The changes aim to give users more choice and control over what information businesses and other organisations store on their computers and how they track users.
Businesses have said that they are confused about exactly what they need to do in order to comply with the new laws. UK privacy watchdog the Information Commissioner's Office (ICO) recently published guidance (10-page / 126KB PDF) on how websites can comply with the new cookie laws and the informed consent requirements.
That guidance, though, is not definitive and leaves it up to organisations to decide how best to obtain the necessary consent.
The ICO said this week that organisations would have a year in which to change their use of cookies to comply with the law before it began taking enforcement action.
The Government has said that it is working with browser makers to come up with a way to gather consent via browser settings, but said that this will not be ready for this week's implementation of the laws.
"The delay in the publication of guidance, the lack of clarity and Government's admission that a technical browser-based solution will not be ready by the implementation date has left businesses and organisations in a state of uncertainty," said Claire McCracken, a technology law specialist at Pinsent Masons, the law firm behind OUT-LAW.COM. "There is no definitive guidance on how to achieve compliance, leaving businesses and organisations without a firm course of action to ensure that they don't fall foul of the new cookie laws."
The ICO said that businesses must be able to show that they are addressing their use of cookies and are putting into place a plan to comply with the new law as soon as it comes into effect.
"The government's view is that there should be a phased approach to the implementation of these changes. In light of this, if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance", the ICO guidance said.
The Regulations also introduce a new requirement that certain kinds of companies tell customers when their personal data has been exposed through hack attacks or loss.
According to the Regulations a "personal data breach" is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service" the Regulations said.
When this happens the company must tell the ICO, outlining what happened, what the consequences are likely to be and waht action the cmopany has taken.
Companies must also tell users about the breach if it is likely to affect their data.
