PECR amendments feature tighter rules on cookies, security risk

Beginning May 25, organisations will have to request permission from website visitors before planting cookies on their machines.

Companies planting cookies on the machines of visitors to their websites will need to get explicit permission to do so beginning May 25. New rules introduced as part of a shake-up in privacy legislation are intended to protect consumers from unwanted and intrusive spying.

The changes to the regulations will grant us the right to impose significant monetary penalties for the most serious breaches of the rules and give us improved powers to investigate companies that make nuisance marketing calls.

Christopher Graham, Information Commissioner

The requirement is part of a new packet of measures contained in an amendment to the UK’s Privacy and Electronic Communications Regulations (PECR), which also extends the powers of the Information Commissioners Office (ICO) and introduces compulsory breach disclosure for telcos and Internet service providers.

In his keynote address on the second day of the Infosecurity Europe conference, David Smith, the deputy commissioner and director of data protection at the ICO, said the guidelines represent a “substantial change” for organisations.

Although the rules become law on May 25, Smith said the ICO will give companies a grace period to adjust to the new requirements about cookies security risk.

More guidance on the rules will be issued later, Smith said, but the general principle is that, unless cookies are necessary to provide a good service, such as storage of a shopping cart, each website will have to explain why it is using cookies and gain the customer’s agreement.

The ICO will also get new powers to impose a fine of up £500,000 for the most serious breaches of PECR. This covers businesses and other organisations sending unwanted marketing emails and texts, as well as making live and automated marketing phone calls.

The amendments also give extra investigative powers to the ICO, allowing it to require telecommunications companies and ISPs provide information the office needs to investigate violations of the regulations. Telcos and ISPs will also be forced to disclose any breach of personal information to the ICO, and, in the event of a serious breach, they will also need to inform the individuals affected. The ICO will also be able to audit telcos and ISPs to ensure they are complying with breach notification regulations.

“The ICO has been calling for increased powers to regulate breaches of PECR for some time,” said Information Commissioner Christopher Graham in a statement. “The changes to the regulations will grant us the right to impose significant monetary penalties for the most serious breaches of the rules and give us improved powers to investigate companies that make nuisance marketing calls.”

The powers of the ICO have been growing steadily ever since the notorious loss of two CDs at HMRC in 2007, wherein 25 million records went missing. In April last year, the ICO was granted powers to issue fines of up to £500,000 if organisations exhibited negligent disregard for the personal records in their care. So far, four organisations have been fined.

While currently only public sector bodies are required to disclose data breaches, a voluntary regime under the auspices of the ICO has been in place for the private sector. Smith said around 1500 breach notifications have been received since November 2007.  In the year ending March 2011, he received 186 notifications from the private sector, 165 from local government and 146 from health authorities.

With a revamp of EU data protection laws expected by late summer, Smith said organisations can expect compulsory disclosure to be applicable across all sectors “within two to three years.” He said the ICO wanted any such obligation to be proportionate and to apply only to serious breaches.

However, Gaynor Rich, head of information security and payment services for Capita Group plc, admitted that it was “a struggle to know how to meet the requirements at the moment. There is no guidance yet.”

Stewart Room, specialist in technology law for Field Fisher Waterhouse LLP, said the most important aspects of the new rules were those affecting disclosure at telcos and ISPs. “We will have US-style disclosure laws for the private sector within three years, and there is nothing to stop individual states of the EU introducing them before that,” he said.

Read more on Regulatory compliance and standard requirements