The new cookie law aims to protect personal data, privacy and other rights of website users.
Cookies are text files on web browsers, information that can be used for authentication, identification of a user session, for user’s preferences shopping habits and for tracking browsing activities.
- inform users about cookies and what you are going to use their information for; and
- obtain users’ consent to the placing of the cookies.
In other words, a website owner must not store information or gain access to information stored in the computer of a user unless the user “is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information” and “has given his or her consent”.
The type of consent needed to satisfy the requirements of the UK Regulations is unclear; also there are conflicting opinions on how the consent requirement will operate in practice. The Information Commissioner’s Office (ICO) published guidance that offers advice on when and how the consent may be given. The guidance states:
“You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future”.
The consent requirement is more difficult to satisfy. The ICO guidance suggests a number of ways to obtain consent. Consent could be obtained via:
- use of pop ups asking for consent;
- terms and conditions of use which users agree to upon registering on a website;
- a text in a header or footer of webpage;
- inclusion in preferences that users set when using a website; and
- a hybrid of the above methods.
Under the new law, the only exemption to the consent requirement is where the cookie is strictly necessary for a service requested by the user. If a cookie forms an integral part of a website’s functionality for example a shopping basket or the storage of a user’s personal preferences, then there is no need to obtain user’s consent.
The new cookie law carries a maximum fine of £500,000 for serious breaches. The ICO confirmed that until May 2012 it will not take any enforcement action against companies or website owners that are trying to find solutions to the problem of obtaining consent. From May 2012, the ICO will decide on case by case basis whether enforcement action is appropriate.
WHAT WEBSITE OWNERS SHOULD DO TO COMPLY WITH THE NEW COOKIE LAW?
- Check what type of cookies and similar technologies you use and how you use them.
- Decide what solution to obtain consent will be best in your circumstances.