Out-Law News 3 min. read
08 Apr 2013, 2:22 pm
Joanna Tomaszewska, an expert in privacy laws at Polish law firm SSW, told Out-Law.com that if users do not alter browser settings that as default enable cookies, website operators, or third parties such as advertising networks, could serve cookies providing they have complied with new rules relating to the quality of information about cookies that should be made available to users. In such cases the inaction of a properly informed user will be sufficient to constitute acceptance of cookies, she said. Properly informed users would be able to block cookies by changing the settings in their browsers.
Changes to Polish telecoms law, relating to the regulation of cookies, took effect late last month. Cookies are small text files that remember users' activity on websites which website operators and third parties place on users' machines in order to record that information.
Under the EU's amended Privacy and Electronic Communications Directive storing and accessing information on users' computers is generally only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
This 'cookies law' has now been brought into force in Poland through changes to the country's telecoms laws.
Tomaszewska said that the President of Polish regulator the Office of Electronic Communications (OEC) now has the power to issue financial penalties to businesses that breach of the cookies rules of up to 3% of their annual profits gained in the preceding calendar year.
"The provision is so recent they have not got a policy about how they will tackle infringement so we need to wait to see how they approach the first few cases to see whether, and to what extent, any financial penalties will be levied," Tomaszewska said.
"The new amendment imposes a very strict information duty that requires businesses to clearly inform website users, through easily accessible and comprehensible information, about the purposes that cookies will be served as well as detailing that users can define the conditions of processing of their data through specific software or browser settings, or by service configuration," she said.
Tomaszewska said that if businesses meet these information requirements, individuals' consent to being served cookies will be said to have been given where those individuals do not act to alter their privacy settings.
"If individuals do not change default settings but have received all the information [businesses need to provide to comply with the Polish regulations] it will be considered as explicit consent," Tomaszewska said. "The impact of the changes in the law is therefore the strengthened information duty that businesses are now under."
"The practical result has been that lots of Polish websites are now displaying banners that contain text that link through to an amended cookies policy that sets out all the information required to be provided under the revised law," she added.
Tomaszewska said that the new cookies laws in Poland were set in a such a way that they apply to all organisations that have websites or provide internet services. However, she said that it is not yet clear how the OEC would approach sanctions for loss-making companies. This is in light of the fact that the maximum penalty for infringement is fine of up to 3% of firms' annual profits gained in the preceding calendar year.
"Right now, because no guidance has been given, it is difficult to say how the OEC will tackle infringements involving loss-making firms," she said.
The telecoms amendments in Poland give the President of the OEC the power to issue fines to businesses that have already ceased infringement or taken action to remedy damage caused through infringement, Tomaszewska said. She said the regulator would be able to consider the "duration, scope and consequences of a breach" when determining whether a financial penalty in such cases should be imposed.
"This is something new, although it is too early to know how the OEC will impose penalties in relation to non-compliance with the new cookies rules in Poland," she said. Tomaszewska said, though, that she thought the levying of a fine as much as 3% of a company's annual profits would be "rather unlikely".
