Following the coming into force in May 2011 of updated Privacy and Electronic Communications Regulations, the UK data regulator has published new guidance. Yes this covers the new cookie consent laws and other changes, but do we get new insights from eight years of enforcing unchanged email, text and telemarketing laws? Stephen Groom investigates.
Topic: On-line advertising
Who: The Information Commissioner's Office ("ICO")
When: September 2011
Where: Wilmslow, Cheshire
Law stated as at: 5 October 2011
What happened:
ICO has published a new "Guide to Privacy and Electronic Communications" ("Guide").
Although they are not expressly name-checked in the Guide, the document appears to relate to the recently amended Privacy and Electronic Communications (EC Directive) Regulations 2003 ("new PECRegs").
These came into force on 26 May 2011 and arrived in the UK courtesy of EC Directive 2009/136/EC and the UK Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
Again a clear statement to this effect has been difficult to find (for instance the Guide contains no scene setting introduction) but it must be right that the Guide entirely supersedes ICO's previous "Guidance for marketers on the Privacy and Electronic Communications (EC Directive ) Regulations" ("Guidance"), the first edition of which was published in November 2003.
Expectations from the new Guide dashed
So what could we expect from the brand new Guide?
There would hopefully be guidance as to how to comply with the handful of new rules introduced by the 2009 Directive, such as the new consent requirement for the use of equipment such as cookies to gain access to and store information stored in PCs, laptops, iPads and smartphones.
Also, after ICO's eight years' experience of interpreting and enforcing the majority of PECRegs rules which have remained largely unchanged, perhaps we could hope for greater insights into how businesses should ensure compliance with, for example, opt in and opt out rules for unsolicited email marketing or the "do not call" list-based rules for cold calling.
A comparison of the Guide with the old Guidance, however, shows no such new insights.
On such of the new PECRegs as are unchanged from the old version, the Guide is virtually the same save for some minor stylistic changes.
Another change is that oddly, the new Guide itself excludes the parts of the old Guidance that dealt with the key issues of the meaning of "opt-in" and "opt-out" in the context of email and text marketing and whether consent means ticking a box.
Initially the thought is that perhaps ICO has decided its previous Guidance was incorrect on these points but has not yet ordered its thoughts sufficiently to share its new views on these aspects with us. Then on checking the ICO site it turns out that the excluded passages are still there and again largely pretty much unchanged, but located outside the Guide. Strange.
Guide does offer help on new rules
Turning to the changes to the substantive Regulations, here at least the Guide offers new help.
On the new cookie rules, covered in the amended "Confidentiality of Communications" new PECRegs regulation 6, the Guide refers to the existing "advice on the new cookies regulations" ICO has already published. The Guide goes on to stress that using such devices will not necessarily be harmful or unwarranted, but under the new regime, subscribers or users must be given a choice as to which of their on-line activities are monitored in this way.
The Guide goes on to emphasise that the cookie rules apply to all uses of such devices, not just those involving the processing of personal data, but if personal data is processed by cookies, the Guide reminds us that the eight data protection principles in the Data Protection Act 1998 will apply, including Principle Three, which states that data controllers must not process personal data that is excessive.
On the new obligation to obtain consent, the Guide underlines that once appropriate disclosure about the cookie has been made and consent obtained, this will not need to happen again on future occasions, presumably on future visits by the same user or subscriber to the same website, although cookie users are free to do this if they wish.
Who must get consent for cookie use?
As for who is responsible for providing the required cookie information and obtaining consent, the Guide confirms that the new PECRegs are silent on this. The only further guidance offered is that where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for compliance.
More help would have been welcome here, as this question has key relevance in cases where for example the user or subscriber is located in one country and the website dropping the cookie is hosted on a server located in another.
On the carve-out (from the disclosure and consent requirements) for cookie use that is "strictly necessary" to provide an information society service, the Guidance explains that "strictly necessary" means what it says and that "important" will not do.
When both user and subscriber are different, whose consent takes precedence?
The Guide then looks at the user/subscriber dichotomy in the context of obtaining consent for cookie use. Regulation 6 says that consent can be obtained from either, but does not indicate which should take precedence if user and subscriber are different.
The Guide cites a standard scenario in which the employer is the subscriber (paying the telecoms bill allowing its employees to access websites from their desks) whilst the employee is the user.
Where the employer gives the employee access to certain online services so that the employee can perform a task for the employer and the use of those services depends on the use of a cookie type device, then the Guide suggests that here it would be unreasonable for the employer's wishes on consent to take precedence.
However if the use of the cookie would involve the collection of unwarranted amounts of personal data relating to the employee, the Guide feels that the employer's wishes should not take precedence. Hmm. One gets the feeling that this may not be the last word on this topic.
Why this matters:
It is certainly helpful for the regulator to introduce guidance on the recent changes to privacy and electronic communications laws. It is not necessarily quite so helpful, however, for ICO to spurn such a golden opportunity to provide more up to date guidance on how to comply with some of the original rules that still cause problems. The new content on recently introduced rules is also in places not as helpful as one might wish. However it is early days and hopefully updated editions will be published as ICO gains more practical enforcement experience.