The Information Commissioner’s Office in the United Kingdom, in furtherance of the European Union’s “browser cookie” laws (EU Privacy and Communications Directive), has just published a set of guidelines that commercial enterprises will need to comply with when the new law goes into effect May 26. Because the laws’ requirements relate to technology and marketing, the intention of the new guidelines is to provide guidance on compliance for businesses.
For background, in case you haven’t been following this closely, in November 2009, the European Parliament amended the Directive of Privacy and Electronic Communications 2002/58/EC (sometimes referred to as the e-Privacy Directive) that mandated that websites give consumers the right to opt out of receiving cookies (in most cases by changing settings on their web browsers). The 2009 amendments reversed the requirement, setting the default as “opt in.” Consumers will have to give permission (informed consent) to a website in advance, to allow a cookie to be placed on their computer.
The UK ICO’s guidance makes it clear that all businesses, private and public, will be required to get consent from the user, in advance of having a browser cookie downloaded and installed on the consumer’s computer. In addition, the ICO has amended the UK Privacy and Electronic Communications Regulations to mandate that clear and thorough information – to ensure informed consent – is provided to end users, explaining why their information is being stored and how it will be used by the commercial enterprise. Expect to see consumer-directed information soon, alerting consumers as to what their rights are and what to expect as businesses comply with the new law and regulations.
As you probably know if you are a loyal and longstanding reader, Legal Bytes in 2009 reported that the major players in the online advertising industry had issued self-regulatory principles concerning online behavioral advertising (Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles), and intended to create an industry self-policing mechanism, as well as disclosures to consumers concerning the use of their personal information. The self-regulatory mechanisms in the United States – these being similar – have followed an “opt out” approach to consumer privacy and the control of personal information. For multinational and international businesses worried about compliance (and that includes all you web browser publishers) – well, it’s complicated.
As always, if you need guidance for your advertising, marketing, privacy or data protection efforts, call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon attorneys with whom you regularly work. Our lawyers deal with these issues every day.