Main changes to the Privacy and Electronic Communications Regulations 2003

Main changes to the Privacy and Electronic Communications Regulations 2003

Disclaimer: The information contained here is not warranted to be correct, accurate, valid, up to date or error-free nor does it constitute professional legal advice. Follow any advice or suggestions at your own risk and responsibility.

So, what is the Privacy and Electronic Communications Regulations?

The official title of these regulations is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (I’ll call it the “2003 Regulations” from hereon). And since the 2003 Regulations were introduced, there has been two amendments to them – one in 2004 (2004 No. 1039) and one in 2011 (2011 No. 1208). If you are wondering why a lot of European websites (including websites hosted in the UK) are warning you of “cookies” being used, this is because of the amendments made in 2011 to the 2003 Regulations that the government needed to implement to comply with European law. The “European law” in question is EC Directive 2002/58/EC. A European directive is essentially a directive, or order, to the member states to implement domestic law, as appropriate to their country, to comply with the requirements covered in the European directive. European directives are only enforced upon the member state; and if a member state does not implement correct measures to comply with an EU directive, the government are answerable, not organisations or anyone that may naturally fall under the scope of what the EU directive covers.

What is the primary purpose of the Privacy and Electronic Communications Regulations?

If you are wondering what piece of law covers the sending of marketing e-mail, calls and texts – and the fact that companies cannot send unsolicited marketing messages without the consent of the “subscriber” – well, that’s the 2003 Regulations. However, the scope of what is covered under these regulations have recently expanded requiring website administrators to request the website visitor for consent before being able to store, or have access to information stored, on the computer of an end user. Cookies fall under the scope of these new regulations because cookies are small text files that are stored on the end user’s computer.

So how can consent be requested? Well, there is no specific rule as to how you request consent, as long as you request it – and the way in which you do so conforms to the requirements of the applicable regulations. You can do this by perhaps having an overlay notification to new visitors who visit your website. Once a user consents to the placement of cookies, under Regulation 7(3), you can continue to set cookies because the end user would have previously consented to it in this case – which is explicitly specified in Regulation 7(3)(b) as amended in the 2011 No. 1208 Regulations. For new visitors, you can display a notification to explain that computer cookies are used and a brief explanation of what they may be used for on your website, and a hyperlink to a page disclosing further information about what cookies are, what cookies may be set and why they are used.

Do I need to have consent before I can place any cookies at all?

Not necessarily. Regulation 6(1) and Regulation 6(2) of the 2003 Regulations is where the specific provision concerning accessing or storing information on an end user’s computer is located. However, Regulation 6(4) states:

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Are there any pre-made solutions I can consider for compliance?

Yes, there are. If you have a WordPress blog, there are many plugins that can be used to help towards complying with the regulations. It is important to remember that as well as having a notification overlay, which some plugins definitely help with, you also need a separate page detailing what cookies are set and why. Of course, a brief explanation of what cookies are should be added too. You can advise your website visitors if they want further information regarding cookies and how they can control the cookies websites set, they can visit websites like AboutCookies.org.

For websites, you can use similar solutions like the Civic Cookie Control.

Don’t forget you need to explain what cookies are set, why they are set and give users details/instructions on how they can refuse cookies from websites. Usefully, websites like AboutCookies.org have helpful sections of their website guiding users how to control and delete cookies in all major web browsers. So ideally, linking to that website can help towards complying with the regulations, because you are giving additional information to the website visitor on how they can find more about cookies and how they can control them.

More information…

Privacy and Electronic Communications (EC Directive) Regulations 2003

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2004

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

Information Commissioner’s Office – Cookie Regulations and the new EU cookie law

EUR-Lex: 2002/58/EC

Sharing