The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 - the new 'cookie law' - came into force in May 2011.

A key change in the cookie law is that website owners must now get the consent of a website user before placing a cookie on their computer or mobile device. The Privacy and Electronic Communications Regulations 2003 - the old law - allowed cookies to be placed on their computer or mobile device first and then required the website owner to provide an opt-out after the event.

UK regulator the Information Commissioner's Office agrees that cookies perform a number of legitimate functions. The regulator also recognises that gaining consent will, in many cases, be a challenge. However, it is important to remember that these rules give you the opportunity to check how well you explain how your web pages work to the people who visit them. Complying with the new cookie law will allow you to be confident that your website users have a better and clearer understanding of what you do and how you do it.


Old rule


The old rule on cookies was set out in Regulation 6 of The Privacy and Electronic Communications Regulations 2003

6. (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.


What does the new cookie law say?


cookies, cookie law, website cookiesThe new requirement is that cookies can only be placed on machines where the user or subscriber has given their consent.

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment--

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.


Exception to the rule


The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.


Reference


The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

UK/2011/SI/1208


lockLog in to your member account to unlock the premium content on this web page.

Become a member