The UK appears to be in the vanguard of jurisdictions charging ahead with implementation of an aggressive version of the directive. In the May 26, 2012 revisions to Regulation 6 of its Privacy and Electronic Communications Regulations 2003 (“PECR”) and the latest guidance from its Information Commissioner’s Office, the burden is on websites to include:
- An information page providing a general explanation of what cookies are, the file names of the cookies in use on the website and explanations of each cookie’s function;
- A sufficiently prominent link to that page from its homepage; and
- A pop-up box, gateway window, or header/footer bar by which a user must choose to “accept” the cookies from that website after having the option to read the information page.
The directive contains an exception for cookies that are strictly necessary. To be “strictly necessary” means that “such storage of or access to information should be essential, rather than reasonably necessary . . . to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data.” The exception does not apply when the cookie is only “‘important’ rather than ‘strictly necessary.’”
Cookies which the ICO indicate as likely to be considered “strictly necessary” are: ( 1) cookies used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket; (2) Certain cookies providing security necessary to comply with EU data protection requirements for an activity the user has requested – for example in connection with online banking services; (3) Cookies that ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.
Likewise, cookies which the ICO considers unlikely to be “strictly necessary” include: (1) Cookies used for analytical purposes to count the number of unique visits to a website for example; (2) First and third party advertising cookies; (3) Cookies used to recognize a user when they return to a website so that the greeting they receive can be tailored.
Compliance is required not only from websites hosted in the U.K., but also those around the world so long as they offer products or services to users in Europe. For U.S. companies and their retail websites, the potential £500,000 ($774,500) fine per violation and reluctance to adopt a customer-unfriendly format mean that many would rather block European users from buying over their websites altogether.
For now, widespread noncompliance even among U.K. websites (An April 2012 KPMG survey concluded that 95% of major U.K. companies were not in compliance U.K. national law implementation) and frequently changing legal guidance from the U.K. Information Commissioner’s Office mean that businesses are taking a wait-and-see approach. Behind the scenes and invisible to users, changes are likely to be already taking place as risk-adverse businesses audit their websites for redundant and obsolete cookies and, perhaps, implement subtle changes which satisfy the letter but not the spirit of the Cookie Directive.
Will the other shoe drop? Many suspect not. Many urge not. The only certainty is that businesses with retail websites will be closely watching the E.U. and U.K. in the months ahead.
Co-authored by David Chen