Have you got a cookie monster lurking in the wings?

New Government Report has been issued in relation to the use of cookies and the data protection obligations imposed on electronic communications providers.

The Department for Culture, Media and Sport has released a report on the implementation of the revised EU Electronic Communications Framework. The Framework regulates all transmission networks and services for electronic communications, including email and the Internet, and has recently been amended to create new obligations relating to consumer protection and e-privacy.

One of the fundamental amendments concerns cookies, which store information about internet activity on a user`s computer. Until now, users have been given the `right to refuse` cookies, traditionally done using internet browser settings. The amended Framework now requires actual user consent to the use of cookies. Cookies that are "strictly necessary" for a user-requested service are excluded - no further clarification has yet been given in the legislation, but cookies used for online shopping carts are expected to be an example.

The legislative changes will be made by amending the Privacy and Electronic Communications Regulations 2003 (known as "PECR"), although the Government has decided that the practical solutions for how to achieve compliance should originate from industry.
It is supporting proposals made by the IAB (Internet Advertising Bureau) for a self-regulatory system, which has proposed that any adverts used as part of `online behavioural advertising` (i.e. which collect web viewing behaviour data) should contain or be placed near an icon which shows adherence to their system. Users can click on the icon and see information about who is collecting information, what is being collected and why, and also will be able to choose whether their data is collected. If an organisation wishes to harvest data from all or substantially all web pages visited by a computer, they must first obtain explicit consent. In addition to the IAB proposals, the Government intends to consider further technical solutions.

There have also been some substantive revisions that are particularly relevant to providers of electronic communications services, including telecommunications service providers. There is now a duty on providers to notify personal data breaches to the ICO. In some circumstances, the person whose data is breached must also be notified by the provider.

The ICO can now also conduct audits and issue sanctions on providers which do not comply with the directive. For example, telephone and/or internet service providers may be subject to a third party information notice which enables the ICO to track companies who "cold call" or "spam" while masking their identities. Those organisations which conduct unsolicited email or telephone marketing may also be fined up to £500,000 by the ICO and there are potential criminal sanctions for the most serious breaches.

Further guidance on this topic is due to be issued by the ICO. The revised version of PECR is due to be in force from 25 May 2011 although it is unlikely to be enforced in full until later this year. What is clear however is that all businesses operating websites which utilise cookies will need to be seen to be actively planning for making changes to their websites in the short term, and implementing those changes as soon as possible after the end of May.

There are technical challenges to be overcome and a genuine desire amongst politicians not to disadvantage British businesses by making them implement consumer protection measures greater than those to be implemented in the rest of the EU, but everything now coming from the Government on this topic indicates that the time for lobbying has passed and the time for putting in place compliance measures is fast approaching. The message from the ICO is that any business caught napping cannot say that it has not been warned.

This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.