Category Archives: International / European Union Privacy

E.U. Cookie Law: U.K.’s ICO Says “It’s Complicated”

 Starting today, U.K. websites must ask for and get the consent of their users before placing non-essential cookies on their computers.  (A “cookie” is a small text file that is served to a computer when you visit a website and can be used to recognize you when you return, or when you visit other websites.)  The so-called E.U. “Cookie Law” aims to protect website users from unwanted marketing by giving them more control over cookies.

The E.U. Commission implemented the Cookie Law on May 25, 2011, but the U.K.’s data protection authority, the Information Commissioner’s Office (ICO), gave companies one year to comply.  The deadline for compliance is technically today, May 26, 2012.  However, the ICO announced yesterday that compliance with the law is complicated and so it does not expect (or require) full compliance by today.  Instead, the ICO expects companies to have taken steps to comply, including the development of a plan to achieve compliance by a specific date.  The specific steps the ICO mentions include conducting a cookie audit to determine what types of cookies a website has and how they are used, making notices on the website about cookies more obvious to users, and determining the best method to get users’ permission.  A recent KPMG study found that 95% of companies have yet to comply with the law, so the Commission’s shift seems rooted in reality.

The guidance yesterday made an important clarification about getting users’ permission.  Contrary to its previous statement regarding consent, the ICO now says “implied consent” is a valid form of consent.  Previously, the ICO guided that once the law took effect, users would have to opt-in to all non-essential cookies, which critics pounced on as being impractical and burdensome.  In other words, before a cookie could be placed on a user’s computer, the user would have to agree.  This would have required users to, for example, click an icon, dismiss a banner, send an email or subscribe to a service.  Based on yesterday’s reversal, a company can now rely on implied consent, so long as it believes its visitors have a reasonable understanding that their actions will result in cookies being set or information being accessed on their mobile device.  This is a very significant change. 

Also in the good news column for website owners, the ICO said that failure of a company to comply with the new law will not likely result in fines — the maximum monetary penalty for non-compliance is £500,000 (which is not a small sum), but instead, the ICO would need to see a specific plan of action to bring the company into compliance. 

The law applies to all 27 Member states of the European Union.  Websites outside of the E.U. must comply with the law if they are targeting people within member states.  So, a website based in the U.S. that sells to users who residents in the U.K., for example, will also have to comply with the Cookie Law.  What this compliance looks like is certainly more reasonable today from a website owner’s perspective, than before the ICO’s announcement yesterday.


U.K.’s ICO Warns 75 Web Giants to Mind Their Cookies

75 of the U.K.’s largest online companies received letters of inquiry from the Information Commission Office (ICO) (i.e., the U.K.’s privacy watchdog) asking how those companies intend to comply with the new E.U. Cookie Directive which went into effect on May 25.  The ICO requested a response within 28 days.

Companies included on the list are: Amazon, AOL, Apple, Domino’s Pizza, eBay, Facebook, Google, Microsoft, Weightwatchers and Yahoo, among others.

Nolo’s Privacy Matters Blog Premieres!

Welcome to Privacy Matters, a Nolo blog devoted to information privacy and data security issues as they relate to small businesses and consumers.  Information privacy covers the rules that apply to the gathering and handling of “personal information” — in other words information that can be traced to a particular individual, like geolocation information, credit information, or health records. 

Privacy law varies by industry, state, country, transaction and customer and is complicated.  Through blog posts and an ongoing series of Nolo primer articles, I hope to provide general, useful information about fundamental privacy principles and best practices that Internet, technology and bricks and mortar businesses need to be aware of, as this area of law can be a field of landmines for the unknowing.

Class action lawsuits and Federal Trade Commission enforcement actions against tech titans like Facebook and Google, and high-profile data breaches jeopardizing that private data of millions of individuals and tarnishing the reputations of scores of companies like Sony, Heartland Payments Systems and RSA Security — have thrust privacy onto the front pages.  It’s important for small business owners to recognize that the same rules that have gotten large companies into trouble apply to small businesses as well.  When it comes to privacy, an once of prevention is, in fact, worth a pound of cure.