New Cookie Law

On 26th May 2011 the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) came into force in the UK. The UK Regulations relate to the use of cookies.

The new cookie law aims to protect personal data, privacy and other rights of website users.

Cookies are text files on web browsers, information that can be used for authentication, identification of a user session, for user’s preferences shopping habits and for tracking browsing activities.

Under the new law if your website uses cookies then you are required to:

  • inform users about cookies and what you are going to use their information for; and
  • obtain users’ consent to the placing of the cookies.

In other words, a website owner must not store information or gain access to information stored in the computer of a user unless the user “is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information” and “has given his or her consent”.

The type of consent needed to satisfy the requirements of the UK Regulations is unclear; also there are conflicting opinions on how the consent requirement will operate in practice. The Information Commissioner’s Office (ICO) published guidance that offers advice on when and how the consent may be given. The guidance states:

“You need to provide information about cookies and obtain consent before a cookie is set for the first time.  Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future”.

“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser.  They may, for example, have used an application on their mobile device.  So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way”.

A way to provide website users with information, thus complying with the requirement of the UK Regulations, is to provide them with a cookies policy or a privacy policy stating the types of cookies used, the type of information collected and what the information will be used for.

If your website uses cookies then the first step would be for you to have an up to date cookies or privacy policy. The Legal Stop has provided a fully comprehensive Website Cookies Policy Template which can be freely downloaded by clicking on the following link:

The consent requirement is more difficult to satisfy. The ICO guidance suggests a number of ways to obtain consent. Consent could be obtained via:

  • use of pop ups asking for consent;
  • terms and conditions of use which users agree to upon registering on a website;
  • a text in a header or footer of webpage;
  • inclusion in preferences that users set when using a website; and
  • a hybrid of the above methods.

Generally, website owners should consider what would work for them by looking at their business and how they use their website. Thus, much depends upon how your website uses cookies.  The more privacy intrusive your activity, the more you will need to do to get the required consent.

Under the new law, the only exemption to the consent requirement is where the cookie is strictly necessary for a service requested by the user. If a cookie forms an integral part of a website’s functionality for example a shopping basket or the storage of a user’s personal preferences, then there is no need to obtain user’s consent.

The new cookie law carries a maximum fine of £500,000 for serious breaches. The ICO confirmed that until May 2012 it will not take any enforcement action against companies or website owners that are trying to find solutions to the problem of obtaining consent. From May 2012, the ICO will decide on case by case basis whether enforcement action is appropriate.

WHAT WEBSITE OWNERS SHOULD DO TO COMPLY WITH THE NEW COOKIE LAW?                                                                

Owners of websites that use cookies are required to take three steps: 

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.