Selling into the EU – what do the cookie laws mean for your website?

In May 2012, the United Kingdom’s statutory adoption of the  European Union (EU’s) Cookie Laws came into force.  The effect of the law is that website operators must obtain the express consent for a cookie to be saved and used on a users computer.  The law applies to organisations that host websites from within the EU and also to organisations based in the UK that host outside the jurisdiction.

According to wikipedia “a cookie  also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website”.  The principle behind a cookie is that it assists the operator of the website to store information on a users use of a website which enhances the users experience, by for example remembering information which may have been added to a shopping cart.

In essence Directive 2009/136/EC of the Eurpoean Parliament and of the Council is a Privacy Law aimed at protecting consumers aninomity whilst browsing websites.  The UK’s adoption of Directive 2009 has received legislative recognition in the The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR Regulations).  The defininition contained in the PECR Regulations is somewhat broader in that it includes similar technologies for storing information, which, in effect is a catch all.

How to comply with the PECR Regulations?

At first glance there appears to be several ways to comply:

• stop your webite’s use of cookies;
• obtain consent in the form of an explicit Privacy Policy or Terms of Use; or
• obtain implied consent;
• obtain consent through ensuring that users have appropriate browser privacy settings;
• obtain an express consent through the use of an express “I agree” link to an explanation of what information the cookie collects and how it operates.

Anyone with any experience in running a website will acknowledge that the last option is likely to be a barrier to adoption.  That said, the First Information Commissioner has issued a guide to compliance which provides a useful assistance for those wishing to comply with the PECR requirements.

What are the Penalties?

The UK’s First Information Commissioner has the power to issue penalties of up to 500,ooo pounds – so it’s far from a toothless tiger!

Does it apply to your website?

If you are an Australian company targetting the UK market it is not settled whether the PECR Regulations will apply to you.  The First Information Commissioner’s Guide provides that:

“Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided“.

Therefore, it is unclear (other than on a choice of laws argument) whether the Cookie Laws apply to Australian organisations selling into the European market.

Further the PECR Regulations may have broader implications for developers of CMS Systems who may inadvertantly omit functionality which may allow for compliance with the Cookie Laws.

Further information

The UK’s Information Commissioner’s Office has provided a guide entitled “Guidance on the rules on use of cookies and similar technologies” to assist organisations to comply with the new cookie laws, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

Related insights about technology law