Tuesday 17 May 2011

Restraining cookies: the new privacy rules

On 26th May 2011, a new law — the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 — comes into force which will change fundamentally the legal regime governing cookies and other similar locally stored data. As I will explain, the legal change is a big deal, but the practical effect may, at least in the short term, be small.

The Information Commissioner has published some useful practical guidelines (alas only as a PDF). They are not definitive (so they may not protect you in the unlikely event someone tries to sue you for damages caused by a breach of the regulations) but since the Information Commissioner (or his office at least) has the primary role in enforcing the regulations, complying with his guidelines will go a long way to avoiding any possible legal repercussions. If you have a short attention span and wish to read only one thing about the new cookie law then I'd advise you go there (see you another time and thanks for visiting).

The new rules apply to storing (or accessing information stored) on a public network user's computer. That includes not only cookies and "flash cookies" but any other information that might be stored on a local computer, for example they would certainly apply to the iPhone's storage of location data. For brevity I'll talk about cookies, storing cookies but all that follows applies much wider than that.


The amended regulation 6 will forbid anyone from storing cookies unless one of the following applies:

  • the user has given their prior, informed, consent (an opt out is no good)
  • it is for the sole purpose of "carrying out the transmission of a communication"
  • it is strictly necessary for the provision of an information society service that was requested by the user

In practice this means that, except in very limited circumstances, prior explicit permission will need to be given by a user before using cookies. The limited circumstances might include situations where the illusion of a session (http being stateless) is needed in order to provide the user with the service they want, for example via a "shopping cart".

Tracking what a user does (eg with a tool like google analytics) or supplying additional services they might want (eg "other users also bought...") would not be for a service "requested by the user" and so would need consent.

Consent may be given by the user explicitly setting their browser to accept cookies. At the moment most browsers will, by default, accept cookies and so it is not, at present, realistic to rely on a user's browser settings to gain the necessary consent. Browser technology may change to make such a reliance tenable and I expect there to be some pressure in that direction.

Clauses in a website's terms and conditions which do not have to be explicitly accepted by a user (for example because they are linked to at the bottom of a page) are, in my view, also not going to be any good.

One small consolation to online service providers is that the ICO has said that in the early stages of this new law all he will look for is a plan to get things right, rather than expect 100% compliance from 26th May. That isn't an excuse to be complacent, but does give some breathing space.


The origin of the new law is in an amendment to the directive on privacy and electronic communications (directive 2002/58/EC). There doesn't appear to be a consolidated version in html format online, but for the purposes of this post all we care about is replace article 5(3) which was added by directive and reads:

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

One one analysis it is not the web server (and thus the operator of the server) who stores or gains access to cookies on a user's machine, rather the server returns a "Set-Cookie" response which a web browser has no obligation to honour. It is also the web browser that transmits the value of a cookie back to the web server.

The directive is not intended to be understood in so narrow a sense. Only a small minority of web users understand how http works. The majority will not realise that information is being stored by their web browser on someone else's behalf. It is clearly the risks associated with this lack of knowledge that the directive aims to address. Recital 24 says:

(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

Recital 25 makes it clear that "cookies" are one such device. It concedes that they can be legitimate and useful but that any use must be with informed consent.

Article 5(3) is very broad in its application. It catches storage on any "terminal equipment" (so mobile devices as well as traditional PC's) and is not restricted to the web or web browsers. The terminal equipment need only belong to a "user" which is defined in article 2(a) as anyone using the network for private or business purposes. So it does not seem to be possible to agree with a subscriber to (say) an ISP or mobile phone service in advance that they consent to the storage of cookies etc on any terminal equipment using their connection if others might use it with different equipment.

The only obvious restrictions to 5(3) are:

  • It only applies to services available over public communication networks and so does not apply to (i) private network services or (ii) to gaining access to a computer without using a network at all.
  • Unsurprisingly, member states are allowed to create their own exceptions where necessary for the purposes of public security, defence and the prevention of crime. Just such an exception was made by the UK in regulation 28 .

Who is responsible? For example, at present I publish this blog using google's blogger service. If google choose (say) to track those reading my blog using cookies without my asking them to, what then? In my view it is the service provider (in this case google) that is carrying out the unlawful activity rather than I, although if I have expressly asked them to do so, then we may both be responsible. If, on the other hand, my blog was made available on a "dumber" hosting service - for example if I installed my own wordpress isntance on a server on which I had shell access and I decided to use cookies, then it would be I, not the provider of my shell access account, who would have to take care of the legalities.

There are two ways that a user (or subscriber)'s rights may be enforced. First by the information commissioner in much the same way as data protection obligations are enforced. Second, regulation 30 permits an individual who has suffered damages as a result of a breach (who might not be the user or subscriber whose equipment was accessed) to bring a claim for damages against the person who committed the breach. There is a defence of reasonable care against such a claim.

So, where cookies are used to illicitly track an individual's preferences and sold to advertisers to allow advertising to be targeted, there is unlikely to be any actual damage and enforcement would have to be by the information commissioner. By contrast, where the use of cookies results in someone's bank details being obtained by a third party (entirely possible with some of the more poorly written systems out there) there may well be financial loss and a right of action. In practice I don't expect to see very many claims, interesting though they would be.


An anonymous commenter asks about other forms of content stored by a web browser. A web browser will almost always store the http response(s) to any request. Some of the information contained in that response may be sent back to the server. A simple example being the value of any fields set in an HTML form, but there are many other, in some cases very sophisticated, mechanisms for doing the same thing. Even the URL in an href attribute can be used to store information — as those with long web memories will recall, one of the earliest example applications using HTML created a noughts and crosses game doing just that.

I suspect that the courts will read the directive as applying only to data stored on a user's computer that can (in principle) be later retrieved by the person storing it or by some other third party. It seems to me that the directive is intended at that kind of mischief which arises where someone or some people track what a user does and keep secret information about them that they can use for their own purposes. Of course there are still risks if information is stored without your knowledge even if it is accessible only to the user of the computer, so the courts may decide to read the directive more widely than that.

Most of these forms of storage will be lawful because they are strictly necessary to provide the service sought by the user. HTML stored by the browser which is displayed to the user is a necessary part of browsing any web page. Ditto where form fields are used for any kind of web transaction such as logging in or purchasing a product. The service can't be supplied without some local state being maintained one way or another. The user will expect it to be so.

On the other hand, keeping a complicated session key that tracks (or allows the tracking) of the user's behaviour without forming part of the functionality the user wanted, would, in my view, fall foul of the directive and need express consent. The fact that cookies aren't used is irrelevant.