Website Law

On 26 May 2011, the rules about the use of cookies and similar technologies were changed. The change was prompted by amendments to the EU’s Privacy and Electronic Communications Directive. Although several weeks have passed since the change, few websites comply with the new law, and confusing guidance from the UK and EU data protection authorities has left website owners scratching their heads.

What the law says

The old rules on cookies said that you had to tell users what cookies were doing, why they were there, and how users could opt out of receiving them. The usual practice was to provide this information in a privacy policy.

The new rules (quoted in full at the end of this post) require that websites obtain a user’s consent before using cookies.

There is an exception to this new rule: if a cookie is strictly necessary for “the provision of an information society service requested by the subscriber or user”, then consent will not be needed before the cookie can be placed on the user’s computer. However, the Information Commissioner has indicated that this exception will be interpreted narrowly.

Methods of getting consent

One area of confusion concerns the question of consent. Widely discussed possibilities include the use of browser settings, the use of pop-ups, consent incorporated into T&Cs acceptance, and the approach taken by the Information Commissioner’s Office (the ICO).

Browser settings

The Directive and implementing Regulations appear to allow web businesses to rely upon browser settings, but both the UK and EU authorities have indicated that current web browsers do not effectively enable consent. There is a UK government-formed working group tasked with finding a technical solution to the consent issue. With industry-leaders like Microsoft, Mozilla, Apple, Google, Yahoo and Adobe on board, the authorities appear to be hoping that the problem will be solved without further legislation.

However, if the position of the authorities is right, and current browser settings are insufficient, then taking into account the fact that many users continue to use outdated browsers (5% of this site’s visitors use IE6, released in 2001), browser setting may never be a complete answer.

Further, its not entirely clear what changes to browser settings would lead to compliance. More granularity may mean more confusion.

Pop-ups

The consent requirement could be implemented by means of a pop-up box that asks new users to consent to cookies. Some of the problems of this approach are obvious.

Most importantly, this type of feature will ruin the usability of the website: unless used very carefully, pop-ups are inherently offensive to most users. And how will the website remember users who have opted-out (without using cookies)? Will they see the pop-up on every visit? Where many cookies are being used (as on most modern websites), how can users realistically differentiate between the cookies and their different functions? Will the average user even understand the reason for the opt out procedure?

T&Cs

Where all users have to consent to website T&Cs, cookie consent can be incorporated into this process.

However, the demands of usability mean that sign-up processes should be kept to a minimum, and this option will only be a solution for a small number of websites (Facebook, anyone?).

The ICO approach

One approach is to follow in the footsteps of the ICO itself. If you visit www.ico.gov.uk, you will see a banner across the top of the page asking for cookie consent.

But look closer: the banner also highlights a key issue with the new law. Modern websites with interactive functionality don’t function properly without cookies. Given that many users (e.g. EU legislators and regulators) may not fully understand the importance of cookies, there is a risk that many users will refuse their use, without necessarily reading the explanatory text.

Another problem – the potential of the new law to make cookie-based analytics systems (such as Google Analytics) worthless – has been highlighted by researcher Vicky Brock. The results of her freedom of information request concerning ICO usage statistics after the implementation of the consent banner make very interesting reading.

No enforcement for 12 months

Unusually, the Information Commissioner has announced that these new laws will not actually be enforced for 12 months.

The purpose of this grace period is to enable website owners to review their use of cookies and to start thinking about how they will comply with the revised laws come May 2012. But the Information Commissioner has also stressed that he will not tolerate operators who ignore the changes or refuse to take action.

Reaction to the new laws

Few informed commentators have much praise the new laws.

At the time of writing, almost no UK websites have made changes to comply (the ICO site is the only one I’ve come across that wasn’t in jest, although I haven’t systematically searched).

The fact is that many if not most UK websites using cookies didn’t comply with the old law, and it’s hard to believe that the level of compliance is going to increase significantly now that it is much harder to comply.

Any chance of new new laws?

Less than one third of EU countries have complied with the Privacy and Electronic Communications Directive to date, and the UK has said it won’t enforce the law for now. Surely policy makers realise that there is a serious problem with the new laws?

A more targeted (and perhaps less technology-neutral) approach may be necessary to deal with the real problem of data misuse. However, at the time of writing there is no sign of any plans to amend the Directive or Regulations.

***

Regulation 6 of the Privacy and Electronic Communications Regulations (as amended) is quoted below:

(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment– (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Personal data has no easy, clear-cut legal definition.

The definition set out in the Data Protection Act 1998, enacted following European legislation in the form of Directive 95/46/EC, leaves businesses and their advisers dealing with a significant amount of uncertainty.

“Personal data” are defined in the 1998 Act as:

… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

In short, any information which can be used to identify an individual constitutes personal data. For example, a list of customer names and addresses will count as personal data, as may a database of customer email addresses.

The broad-brush approach of the 1998 Act has proven troublesome to businesses, as they are subject to legal obligations in relation to wider range of personal data than a common sense view might suggest.

To use a simple example, “The most recent customer is called Patrick Smith, who has red hair and lives at 54 Evergreen Terrace” is personal data which clearly identifies Patrick. “The most recent customer does not have brown, blonde or dark hair and lives on Evergreen Terrace” should also be considered to be personal data as it is possible that, using this information, one could ascertain the identity of Patrick.

Incomplete data on individuals may still count as personal data. For instance, should a company have a list of reference numbers for individuals which correspond to a list of information cards relating to customers, then the reference numbers (although not on the face of it overtly personal) will be personal data.

A distinction can be drawn between personal data and sensitive personal data, a leak of the latter being much more serious. Sensitive personal data includes data relating to a person’s race, sexuality, health, criminal record or affiliations (such as political persuasion or trade union membership).

Often, we think of personal data as data belonging to customers. But the definition does not only apply to customers; it extends to all individuals including employees. Should a record be kept by an employer of their employees’ performance, this will amount to personal data, as will any record of what is intended for them.

As a general rule, and unless advised otherwise by a lawyer or other data protection professional, businesses should assume that any information relating to individuals may be considered personal data by the law, and treat it accordingly.

The first principle of data protection law is that personal data must be processed fairly and lawfully, and that one or more specified conditions must be met.

Perhaps the most important of those conditions affecting the collection and use of personal data via websites is:

“The data subject has given his consent to the processing.“  (Data Protection Act 1998, Schedule 2, paragraph 2)

This raises the question of when a child can be taken to have consented to the processing of his or her personal data.

The DPA 1998 does not itself explicitly deal with the issue of obtaining consent from children.  However, the Information Commissioner has written:

“Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair. You should recognise that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding. The language of the explanation should be clear and appropriate to the age group the website is aimed at. If you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision”  (The Data Protection Good Practice Note: Collecting personal information using websites).

So, privacy policies should be extra-prominent and extra-clear.  A very young child may never be able to give adequate consent; whereas, an older child may be able to give adequate consent in many different circumstances.  The Information does go on to refer to a particular age threshold:

“The Act does not state a precise age at which a child can act in their own right. It depends on the capacity of the child and how complicated the proposition being put to them is. As a general rule, we consider the standard adopted by Trust UK (www.trustuk.org.uk) to be reasonable:  ‘TrustUK approved webtraders recognise children need to be treated differently from adults. They will not market their products in any way that exploits children, nor will they collect information from children under 12 without first obtaining the permission of a parent or guardian. They will not collect personal data about adults from children.‘”

There are particular pitfalls for the operators of social networking websites, other websites which publish user generated content, and websites that collect information that is passed on to third parties:

“There are certain practices that are likely to breach the Act, for example, collecting information about other people from children, and enticing children to reveal information to win a prize or similar. If you are going to disclose or transfer personal information collected from children to third parties, you need to have the explicit and verifiable consent of the child’s parent or guardian, unless you can be sure that the child really appreciates what is going on and the consequences of their actions.

If you want to publish a child’s personal information on the internet, you should usually get the verifiable consent of the child’s parent or guardian. Whether you need the parents’ or guardians’ consent for the publication, or that of the child, will depend on the circumstances, in particular, the child’s age and whether you can be sure the child fully understands the implications of making their information available on the internet.”

An obvious question arises: how can parental consent be verified?  The Commissioner states:

“If you need parental consent, you must have some way of verifying this. It will not usually be enough to ask children to confirm their parents have agreed by using a mouse click. If you need parental consent but decide that verifying the consent will involve disproportionate effort, you should not carry out your proposed activity.”

There are a wide range of methods which may be used to verify parental consent, some of which are stronger than others.  For example, you might ask for a nominal credit card payment to be made before the child can access the relevant functionality, or you might telephone parents to verify consent.

Note: there are is a dedicated US law concerning the online collection of children’s personal data.  The Children’s Online Privacy Protection Act of 1998 (COPPA) applies to commercial websites that are directed at children under 13 or, even if not so directed, knowingly collect information from children under the age of 13.  The most far-reaching provision of COPPA requires that such websites must, before collecting, using or disclosing personal information from a child, obtain verifiable consent from the child’s parent.  This is why many US-orientated websites prohibit children under 13 from registering and using the website.