The Regulations that cover direct marketing by electronic means and the use of cookies have changed.
Why are the rules changing?
The European Directive on which the Regulations are based has been revised. As a result the existing Regulations in the UK have been amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
Many of the Regulations are staying the same however there are some important changes. These include:
- new rules for websites using cookies and similar technologies;
- the introduction of new powers for the Information Commissioner to serve a monetary penalty on an organisation when very serious breaches of the Regulations occur; and
- the introduction of new powers for the Information Commissioner to investigate breaches of the Regulations by obtaining information from certain third party organisations.
Many of the other Regulations are staying the same or have only minor changes. The parts staying the same include most of the rules on marketing by live phone call, automated phone call, fax, email and text message.
New rules for websites using cookies and similar technologies
A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s machine.
Cookies might be used, for example, to remember your preferences on a website, to record what you have put in your shopping basket before you check out, to count the number of people looking at a website or to look at how users navigate the site.
The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as “Flash Cookies”).
For more information about cookies, how they work and what choices you can make through your own browser settings see: http://www.allaboutcookies.org/
What is changing?
The rules previously required websites to tell you about cookies they used and give you information about how to ‘opt out’. Most organisations did this by putting information in their privacy policy.
The new rules require in most cases that websites wanting to use cookies get consent. The ICO has produced specific guidance on the ways in which organisations might meet this requirement.
How will these new rules impact on me when I use the internet?
Many websites use cookies. Once these rules start to be put into practice over the coming months you are likely to start to see more information about cookies on sites and be given more choices about these cookies. This might include, for example, being asked to agree to a cookie being used for a particular service, such as remembering your preferences on a site.
Organisations will need to decide on the best way to provide clear information about cookies and to give people using their websites the right choices. They will also want to make sure that these changes do not adversely affect the experience of people using the internet. As organisations have not had a long time to prepare for these changes the Commissioner is giving organisations time to comply with the rules. This should ensure they find a solution which meets the requirements in a way that works well for their site and meets the needs of people using it.
How will you deal with complaints about cookies?
We have issued a statement setting out how we intend to approach enforcing these new rules.
Organisations have 12 months to make sure they comply with the new rules. In that time we expect websites to be looking at the cookies they use and where necessary putting in place steps to get your consent.
If a website does not appear to be taking steps to comply with the new rules and we receive a complaint during this 12 month period we will provide advice to the organisation concerned on the requirements of the law and how they might comply. Where we think it is appropriate we will also ask organisations to explain the steps they are taking to ensure that they will be in a position to comply by May 2012.
We will continue to consider complaints about organisations that are not providing information about the cookies they use because this has been a requirement for several years.
From May 2012 we will expect websites to be complying with the law and will deal with complaints about sites that are not complying in line with our normal procedures. For more information about how we handle complaints see our When and how to complain page.
The Commissioner’s new powers to serve a monetary penalty
The changes include the introduction of new powers for the Commissioner to enforce the requirements of the Regulations. The main change is the Commissioner will now have the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules.
The Commissioner will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
We will be producing guidance on the way in which we intend to use these powers. The monetary penalty powers will apply only to the most serious breaches, such as cases where a large number of individuals have suffered distress as a result of persistent automated marketing calls.
We will still be able to use enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.
When will you start issuing monetary penalties?
We are issuing guidance on how we will use these powers. This guidance has to have a period of consultation and we will be unlikely to use our new powers until the consultation is concluded and the guidance is published. This will be later this year.
The Commissioner’s new powers to investigate breaches of the Regulations
The changes include the introduction of new powers for the Commissioner to serve an information notice on certain third parties (telecoms companies and internet service providers) who hold information that is relevant to our investigation into a likely breach of the Regulations.
This power allows the Commissioner to request information from organisations who are not responsible for breaking the rules but may hold information that will help the ICO to investigate another company. This could involve, for example, a request to a telecoms company for information they hold about a company making marketing calls but refusing to identify themselves during the calls.
We will be producing guidance on the way in which we intend to use these powers.