The Regulations require that a website provider provides certain information and obtains valid consent from a user before storing any cookies on their computer.
Although there has been a transitional period where the Information Commissioner’s Office (“ICO”) was not actively enforcing the Regulations, this has now expired and the Regulations are being enforced from May 2012.
What are Cookies? (Background)
Cookies are small files that websites may store on a user’s computer. The way that the world wide web works means that is difficult for a server serving a web page to one user to tell whether or not it is the same user who accesses another page. Cookies were invented to overcome that problem. For instance, a cookie storing the contents of your shopping basket will ensure that the website remembers your basket no matter how many different pages you browse.
Summary of the New Rules
The key aspects of the new rules laid down by the Regulations are:
If a cookie is “strictly necessary” for the purposes of the service that the user is accessing it does not require consent. This exemption is however extremely narrow. An example might be an online shop. Cookies that are “strictly necessary” to provide the shopping basket functionality and which are set only when the user accesses such functionality will likely be exempt from the requirement to get consent. Cookies used to recognise the identity of a returning user on the same site would not.
How to Comply
If you or your business operates a website you will need to take the following steps to ensure compliance with the Regulations:
- Find out what cookies your site is using. Often businesses will not be aware that their commissioned website is using cookies to provide certain functionality. In addition, if the developers have incorporated code relating to things like the Google Affiliate Program or quick links to sharing on the likes of Twitter or Facebook, it is likely that that code will be setting Cookies from those third parties through your website. Both you and the third party in question are jointly responsible for getting consent for these third party cookies.
- Prepare a summary of the cookies and what they do. The Regulations do not set out a format for this, but it is the best way to ensure information regarding cookies is given in compliance with the Regulations. You should take into account the typical user of your website and the level of technical information they are likely to understand or indeed want.
- Get users’ consent before the cookie is set. There are various methods of obtaining prior consent including pop-up windows, static banners and browser settings. You can have consent as part of your terms and conditions provided that the user has to explicitly agree to them before the cookie is set (e.g. “Click here to agree to the above terms”).
Consequences of Non-Compliance
The ICO’s powers to enforce the Regulations range from the power to issue Information Notices (requiring an organisation to provide the ICO with specified information), to the power to issue Enforcement Notices and even monetary penalties (up to £500,000). The ICO has said that it will take a practical approach in enforcing the Regulations. Deliberate flouting of the rules or a complete lack of attempts to comply will likely attract harsher penalties. A genuine attempt to comply however will likely be looked upon more favourably.
Further Advice and Information
If you would like advice or further information regarding the Regulations or just a informal discussion about any of the above please do not hesitate to contact us. Members of our commercial team would be pleased to speak to you.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.