Cookie Law in the UK

Privacy and Electronic Communications Regulations

The EU Cookie Directive was implemented into UK law under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which are themselves an amendment to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

These regulations came into UK law on 26 May 2011, one day after the deadline set by the EU.

Wording of the UK Regulations

There is one key section of the UK regulations that is relevant to website owners in respect of user consent:

Confidentiality of communications

6.—(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment— (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information— (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

An everyday interpretation of this would read:

You cannot store or gain access to information stored on a computer, unless the user has been given clear and comprehensive information about what you want to do, and why, and has given their consent to do so.

The exception to this rule is when the user requests a service and that service cannot be provided without storing or gaining access to information stored on their computer.

UK Enforcement of the Regulations

Enforcement of the regulations is the responsibility of the Information Commissioners Office (ICO). They have investigatory powers and the ability to impose fines of up to £500,000 for serious breaches of the regulations.

The ICO’s approach to enforcement is a very light touch one. They have put in place a complaints mechanism, but do not take any proactive investigative action.

As of Spring 2013, the most action they have taken is to make a visual check of sites to see whether or not they have any user notification of the use of cookies. They have the power to force site owners to change their site to comply with the law, but have also said that it is unlikely they would go so far as to impose a fine for non-compliance with the law.

This has led to a situation where many websites either ignore it completely, or try to do as little as possible to avoid the threat of action. Some people have argued that this has led to a situation where online privacy has been diminished as a result of the law, rather than strengthened.

EU Cookie Directive