Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR)
As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies.
From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.
Regulation 6 of the PECR
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Notes:
The regulation 6(3) implies the the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is nor necessary to repeat the request for consent. However it is hard to see if equipment is shared between users how the website will know if it is the same user or not.
Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.
Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.
Cookies and the PECR
Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted, now it is an "opt in" requirements.
In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.
The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner.
In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.
The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent
The process of cookie consent handling is showing in this flowchart
At the moment essential cookies don't need consent, if your site only uses essential cookies than no consent is required, however if you have a mix and most sites will especially if they are using Google Analytics then you will need to get consent for the strictly not necessary cookies and this is where the problems start.
What is the ICO doing?
The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.
What is the solution for the future?
The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers.
The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site
.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie. Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.
No comments:
Post a Comment