< Back

Share |

EU cookie law changes raise compliance stakes for online gambling

Predicting an uncertain outcome is a skill with which the online gambling industry is already well acquainted. However the industry may need to apply that skill to the law if it is to get to grips with recent changes in EU rules relating to the use of cookies.

September 2011

What’s the change?

In December 2009 the EU amended the e-Privacy Directive. One of the most significant changes was to the rules on the use of cookies and equivalent technologies that store or gain access to information on a user's equipment. The change marks a shift away from notice and opt-out, to a requirement for user consent except where the cookie use is "strictly necessary" to provide a service requested by the user. EU member states were required to implement this legislation into national law by 25 May 2011.

The UK approach

New UK law in the form of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations ('PECAR') came into force from 26 May 2011 and broadly requires computer motherboardthat cookies can only be placed on machines of users who have given consent. There is no requirement under the PECAR for prior consent, yet the Government and the UK regulator, the 'Information Commissioner' ("IC") make clear that browser settings cannot be relied upon to show user consent at present.

Guidance from the IC on the law suggests examples of methods websites could use to obtain consent that typically are a form of prior consent, (such as pop-ups notices that ask if users consent). Other less direct examples include getting consent through a user's agreement to an updated set of website terms and conditions or making clear to users that settings or preferences selected by the user are underpinned by a cookie and that by selecting the setting or preference the user is deemed to consent to the use of that cookie.

There is also a recognition by the Government and the IC that self regulatory approaches (such as the developing Internet Advertising Bureau's European framework for online behavioural advertising) may also offer solutions for certain cookies and that enhancements to browser technology may provide a way of demonstrating a valid consent in the future.

Once a valid consent has been obtained for a specific cookie or cookies, it will not be necessary to obtain consent for those same cookies again each time the user revisits the website. Where, however, use of these cookies changes or new cookies are added, then consent for those new cookies or changes will need to be obtained.

What does this mean for gambling website operators?

Gambling websites are likely to rely heavily on websitescookies to support a wide range of their online services and functions, including personalising user content and preferences, recalling registered account holders and managing their transactions, delivering and tracking the effectiveness of advertising in addition to offering embedded social networking content and conducting website analytics.

Where gambling businesses have a website in the UK or one which actively targets UK users (and places cookies on users machines) it will need to comply with the PECAR, although due to the particular challenge the new cookie rules pose for organisations, the IC has allowed a period of 12 months (ending May 2012) for organisations to put in place methods to comply.

Steps must be taken now in order to meet the extended May 2012 deadline. The IC states that he may issue an organisation with a warning of his intention to make future use of his enforcement powers if he believes it is not doing enough to meet the extended compliance deadline. Enforcement action after this deadline may include fines of up to £500,000 for serious breaches.

In practice this means that organisations should take action now to:

  • Identify the different cookies that are placed on the machines of users who visit their website
  • Assess how intrusive those cookies are; and
  • Implement the most appropriate method by which the consent of the user can be obtained for those cookies.

cookiesAll the different websites under the control of the organisation will need to be taken into account, including how and when cookies are deployed, the purpose of the cookies and whether a third party is involved who can track or analyse the movement of the user across that or other websites.

Transparency will also be important in demonstrating consent. Organisations should consider how clearer information and choices can be presented to users about specific cookies when they first arrive on the website or before they trigger a particular function or setting that relies upon the use of a cookie. Website collection notices, terms and conditions and privacy policies will also need to be reviewed.

What about other countries?

Businesses that have operations or websites hosted in other EU jurisdictions or which actively target users in other EU jurisdictions will also need to comply with the rules of that country on the use of cookies although to date, only six countries (the UK, Sweden, Finland, Ireland, Estonia and Malta) have introduced their amended laws implementing the revised e-Privacy Directive.

Among those countries that have implemented the revised EU law, it is becoming increasingly clear that there are shared uncertainties about what is meant by consent and how to obtain consent. A gambler can therefore confidently bet that rules on how to demonstrate consent will vary from country to country.

If you have any questions on this article please contact us.

EU Cookie Law
Sally Annereau

Sally Annereau


Online gambling operators must act now to identify the cookies served on visitors to their websites and amend their websites to collect visitor consent.

"Steps must be taken now in order to meet the extended May 2012 deadline."