Confidentiality of communications
Regulation 6 covers the use of electronic communications networks to store information or gain access to information stored in the terminal equipment of a subscriber or user. So-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user. This Regulation reflects the growing concern about the use of covert surveillance mechanisms online.
However, it is recognised in the Directive that using such devices will not necessarily be harmful or unwarranted. The use of devices such as cookies, for example, has for some time been commonplace and cookies are important to provide many online services. Using such devices is not, therefore, prohibited by the Regulations but they do require that subscribers and users should, to some extent, be given the choice as to which of their online activities are monitored in this way.
Cookies and personal data
Although devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of personal data.
Where the use of a cookie type device does involve the processing of personal data, service providers will need to make sure they comply with the additional requirements of the Data Protection Act 1998 (the Act). This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is excessive. Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed anonymously. This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website.
Information to be provided
Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- is given the opportunity to refuse the storage of, or access to, that information.
The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so. This is comparable with the transparency requirements of the first data protection principle.
There may be different interpretations of the requirement that the user or subscriber should be ‘given the opportunity to refuse’ the use of the cookie type device. At the very least, however, the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to continue to store information on the terminal in question.
The Interactive Advertising Bureau (IAB) is an industry body that develops standards and guidelines to support online business processes. It has produced a series of web pages at www.allaboutcookies.org which explains to users how cookies work and can be managed. The IAB welcomes website owners who wish to link their cookie policies directly to these pages.
Regulation 6(3) states that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described in Regulation 6(2) (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this.
Responsibility for providing the information
The Regulations do not define who should be responsible for providing the information outlined in Regulation 6(2). Where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for providing the information in question.
We recognise that it is possible for organisations to use cookie type devices on websites seemingly within the control of another organisation, for example, through a third party advertisement on a website. In these cases, the organisation the site primarily refers to will be obliged to alert users to the fact that a third party advertiser operates cookies. It will not be enough for that organisation to provide a statement to the effect that they cannot be held responsible for any use of such devices employed by others they allow to place content on their websites. The third party would also have a responsibility to provide the user with the relevant information.
The Regulations are also not prescriptive about the way in which a user or subscriber should be able to refuse the use of a cookie type device. Service providers can choose to make their own switch-off facilities available, or explain to the user or subscriber how they can use the facilities specific to their browser type. Although a standard approach would be beneficial, it is more important that the mechanism is uncomplicated, easy to understand and accessible to all.
There is nothing to prevent service providers from requiring users to ‘opt in’ to receiving the cookie rather than providing them with the opportunity to ‘opt out’.
Exemptions from the right to refuse a cookie
The Regulations specify that service providers should not have to provide the information specified in Regulation 6(2) where that device is to be used:
- for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.
In defining an ‘information society service’ the Electronic Commerce (EC Directive) Regulations 2002 refer to ‘any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’.
The term ‘strictly necessary’ means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the service provider might be subject to, for example, the security requirements of the seventh data protection principle.
Where the use of a cookie type device is deemed ‘important’ rather than ‘strictly necessary’, those collecting the information are still obliged to provide information about the device to the potential service recipient so that they can decide whether or not they wish to continue. The information provided about what the collector intends to use that data for should be clear enough to enable the user to make a truly informed decision.
Wishes of subscribers and users
Regulation 6 states that the relevant information and the opportunity to refuse the cookie type device should be provided to the subscriber or user but it does not specify whose wishes should take precedence if they are different. There may well be cases where a subscriber, for example, an employer, provides an employee with a terminal at work along with access to certain services to carry out a particular task, where to effectively complete the task depends on using a cookie type device. In these cases, it would not seem unreasonable for the employer’s wishes to take precedence. However, it also seems likely that there will be circumstances where a user’s wish should take precedence. To continue the above example, an employer’s wish to accept such a device should not take precedence where this will involve the unwarranted collection of personal data of that employee.