The UK government will take its time enforcing new EU privacy laws affecting cookies
UK privacy authorities will allow online businesses some flexibility in the way they implement new EU cookie rules, according to comments by the Department of Media, Culture and Sport on Friday.
The new legislation, which will come into force on 25 May, is an amendment to the EU’s Privacy and Electronic Communications Directive designed to keep pace with the constant evolution of online fraud.
Among the most significant provisions is that online businesses must obtain the consent of users before they may install cookies in their browsers.
The government said on Friday it will adopt the full text of the amendments regarding the cookie issue, but said it does not expect the Information Commissioner’s Office (ICO) to begin enforcement right away.
The ICO is independent, but has confirmed that it is working with the government on how best to handle enforcement of the new rules.
The delay in enforcement will give time for technical systems to be developed that could, for example, allow users to set up their browsers to automaticaly “consent” to cookies on an ongoing basis, rather than having to agree each time they visit a website.
Such systems are being developed by Google and Mozilla for the Chrome and Mozilla browsers. The government is working with unnamed browser makers on cookie consent tools.
The government said it plans to publish guidance on cookies after the regulations are published.
“We recognise that work on the technical solutions for cookie use will not be complete by the implementation deadline. It will take time for meaningful solutions to be developed, evaluated and rolled out,” said culture minister Ed Vaizey in a statement.
The government is also working with an advertising industry initiative that would notify users of controversial “tracking cookies” with an icon in the corner of a web advertisement, and allow them to click to opt out.
The initiative would pave the way for wider acceptance of “behavioural advertising” systems such as Phorm, which was secretly trialled by BT in 2006 and 2007. Phorm and other behavioural advertising technologies use tracking cookies to build a profile of users’ habits and interests based on the websites they visit and then assign targeted ads.
BT attracted widespread outrage when it was revealed in 2008 that the company had conducted the Phorm trials.
Earlier this month the Crown Prosecution Service (CPS) said it had insufficient evidence to prosecute BT for Phorm under the Regulation of Investigatory Powers Act (RIPA) 2000, and that it would not be in the public interest to proceed any further.
The government’s reaction to the Phorm trials prompted the European Commission to launch infringement proceedings against the UK in 2009. According to the EC, the technology contravenes EU ePrivacy and personal data protection rules, which cover the confidentiality of communications, because it intercepts and monitors user actions – in some cases, without the user’s consent.
The controversy highlighted loopholes in UK privacy law, leading the European Commission to threaten to sue the British government for privacy violations. However, on 8 April – the same day the CPS said it would not prosecute – the Home Office published changes to RIPA that will close the loopholes around interception by private companies.