Privacy & Information Security Law Blog

On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”

The government’s response to its consultation on the implementation of revisions to the European Framework Directive, including the controversial cookie provision, Article 5(3), is still to be published, but Mr. Vaizey has stated that it “will contain a clear statement on Article 5(3) of the e-Privacy Directive, and will set out how [the government] see[s] implementation of the Article 5(3) going forward. It will make reference to what we see as the very necessary phased implementation of the article, in order that meaningful solutions can be developed.”

Importantly, the response will set out the government’s expectations for “what users of cookies should do whilst those solutions are developed.” This statement should give comfort to organizations that are aware changes in the law are forthcoming and stand ready to comply, but are frustrated by a lack of clarity as to what is required with the May 25, 2011, implementation date looming.

Significantly, the Minister stated that the UK government “does not see a one size fits all solution to this article but rather will look to the development of a UK ecology of solutions.” It is not at all clear what this means, but a phased approach to implementation, together with an apparent rejection of a “one size fits all” solution, appears promising.

Turning to specific solutions, the UK intends to “continue to pursue enhanced browser settings, in which users are provided with more information as to the use of cookies and are presented with easily understandable choices regarding the import of cookies onto their machine.” Business will be interested in the government’s support for “cross industry work on the use of third party cookies in behavioural advertising.” In particular, the government intends to refer to recital 66 in its transposition of the Directive into the UK Privacy and Electronic Communications Regulations, and to explain how it should be interpreted. The government considers that this approach “will allow servers not to require consent for cookies strictly necessary for a requested service, and will cover the use of cookies that underpin shopping baskets in websites.”

The Minister acknowledges that there may be some uses of cookies that are not covered by the above, and that the government will encourage businesses to review their own use of cookies and to take steps to ensure that they comply with the Directive. The government is setting up a separate working group to explore other options with industry, with the objective of publishing a list of “‘approved’ solutions as a guide to industry.”

Christopher Graham has promised pragmatic guidance from his office to assist organizations with implementation, but repeated his previous warning that organizations need to “wake up” to the fact that the law is changing. “The time for lobbying was five years ago; the time for compliance is now.”