So, what is the EU ‘Cookies Law’ and why should we worry about it?
The ‘Cookies Law’ is a regulation that requires websites within the EU to inform their users that ‘Cookies’ (small data files; not the tasty kind, unfortunately) are being kept to both enhance your browsing experience and allow companies to gather data about your internet browsing habits.
Whilst this isn’t something we enforce or deal with as a business, we wanted to give you an insight into what exactly the Cookies Law is and how it affects both company websites and the users that frequent them.
Below is a Q&A with Dan Read and Emma Fox of TLT: experts in Technology & Communications law (among other things), they were incredibly kind in answering questions we had and giving us some background into the details and logistics.
Could you explain what the ‘Cookies Law’ actually is (i.e. in laymen’s terms)?
The ‘Cookies Law’ (officially the “Privacy and Electronic Communications Regulations 2003” or “PEC Regs”) is a law that was brought in to make sure that businesses appropriately protect people’s personal information online. The law requires that any person or business using cookies on their websites:
- tells users that cookies are being used;
- tells users what the cookies do and why; and
- gets consent from users to use and store cookies.
The Cookies Law originates from a European law which is currently being reviewed and is due to be updated soon.
*Who does the ‘Cookies Law’ affect? For example, would my personal website need to have a disclaimer or is it for more established companies? *
Q: What are the allowed mechanisms to register consent? (i.e. do users actually have to click a button or is scrolling past the fold enough to consider it ‘consent’?)
In order to be valid, consent must be freely-given, specific and informed. Having an ‘I accept’ or ‘O.K.’ button is a common way to get consent and one of the safest ways of making sure these requirements are met. However, it’s not necessarily the only way to get consent. In some situations, it can be acceptable to imply consent from a user’s failure to click ‘No’ in a pop-up or failure to change cookies settings. However consent is obtained, website operators setting cookies must always provide a ‘cookies notice’ which tells individuals clearly what cookies are used, what they are used for and how long they are stored.
Q: Who enforces the ‘Cookies Law’?
The Information Commissioner’s Office (ICO) is the UK regulator in charge of enforcing the PEC Regs.
Q: What legal ramifications are there for not having a disclaimer on a website?
If a website does not have a cookies notice and/or a compliant consent mechanism, the ICO can investigate and has the power to take enforcement action. For example, the ICO could require a website operator to take certain steps to comply with the laws or could fine the operator if the breach is considered to be serious. The ICO also publishes enforcement action it takes, so any breach could become public and have serious consequences for their reputation.
Q: Now that the UK will be leaving the E.U., is the ‘Cookies Law’ still relevant?
The Cookies Law will still be relevant after Brexit. Because the European Cookies Law is currently being updated, we will most likely have a new, stricter law by the time we leave. Once the UK has exited the EU, there may be some flexibility in our laws which might mean they could be made less strict.
However, although it’s not currently clear exactly what the UK’s cookies laws will look like post-Brexit, the general concepts of transparency and consent will almost certainly remain.
The current European law doesn’t apply to websites outside the EU.
Q: Is there any other privacy legislation that companies or the general public should be aware of?
The PEC Regs complement the UK’s Data Protection Act 1998, which places more general privacy obligations on businesses. For example, the Data Protection Act requires businesses to tell people what their information is being used for, to hold and store that information securely and to allow people to access their own information on request.
This law is also due to be replaced by an updated, stricter European originating law in the next two years and there will be severe consequences for businesses which do not comply. It will therefore become even more important for businesses to make sure they are meeting their data protection obligations.
A big thank you to Dan and Emma for obliging us and answering all of our questions. If you’d like to know more about their services, have a look at the TLT website to see what areas of law they can advise on.
This article was originally posted at CookiesHQ.