A law firm which offers more

Call us: 0113 246 0622

Cookies New rules being enforced from May 2012


The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “Regulations”) bring into force new rules regarding the use of cookies on websites.

 The Regulations require that a website provider provides certain information and obtains valid consent from a user before storing any cookies on their computer.

 Although there has been a transitional period where the Information Commissioner’s Office (“ICO”) was not actively enforcing the Regulations, this has now expired and the Regulations are being enforced from May 2012.

What are Cookies? (Background)

 Cookies are small files that websites may store on a user’s computer. The way that the world wide web works means that is difficult for a server serving a web page to one user to tell whether or not it is the same user who accesses another page. Cookies were invented to overcome that problem. For instance, a cookie storing the contents of your shopping basket will ensure that the website remembers your basket no matter how many different pages you browse.

 Cookies have long been a valuable tool for advertising companies. Such companies use cookies delivered through their affiliates’ websites in order to manage and track the services they provide. It is these types of cookies (and the privacy concerns that go along with them) that are the primary target of the Regulations.

Summary of the New Rules

The key aspects of the new rules laid down by the Regulations are:

website providers must provide information regarding their use of cookies that is "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so.”; and

consent to the use of cookies must be obtained before the cookies are set, and “must involve some form of communication where the individual knowingly indicates their acceptance”.

If a cookie is “strictly necessary” for the purposes of the service that the user is accessing it does not require consent. This exemption is however extremely narrow. An example might be an online shop. Cookies that are “strictly necessary” to provide the shopping basket functionality and which are set only when the user accesses such functionality will likely be exempt from the requirement to get consent. Cookies used to recognise the identity of a returning user on the same site would not.

How to Comply

 If you or your business operates a website you will need to take the following steps to ensure compliance with the Regulations:

There is some debate regarding whether or not website operators can rely on implied consent from users to the use of cookies. In a change to its previously published guidance, the ICO has recently stated that implied consent may be sufficient to comply with the Regulations (reversing its earlier advice). Website operators must however still be able to point to “some action taken by the consenting individual from which their consent can be inferred”. The example given by the ICO is the website for the Department for Business, Innovation & Skills. The approach used by that website is simply a banner on the front page explaining that cookies are used, and a link to further information.

Example Approaches

Different site operators have taken different approaches to try and comply with the Regulations. BBC News (http://www.bbc.co.uk/news) has opted to display a static banner across the top of the site explaining that it uses cookies (with a link to further information) and that continued use of the site will be taken as the user’s consent. This would appear to comply with the ICO’s new guidelines on implied consent discussed above. Online retailer Bananna Republic (http://bananarepublic.gap.eu) has opted to rely on express consent displaying a popup box explaining that the site uses cookies and asking the user to click a button stating “I accept cookies from this site”. Interestingly, the site does however set a number of cookies before the user clicks accept which is technically in breach of the Regulations. The ICO website itself (http://www.ico.gov.uk) displays a static banner across the top of the site asking the user to tick a box to accept cookies. As you might expect, this is in full compliance with the Regulations and the site does not attempt to set any cookies until the user indicates his or her consent for it to do so.

Consequences of Non-Compliance

The ICO’s powers to enforce the Regulations range from the power to issue Information Notices (requiring an organisation to provide the ICO with specified information), to the power to issue Enforcement Notices and even monetary penalties (up to £500,000). The ICO has said that it will take a practical approach in enforcing the Regulations. Deliberate flouting of the rules or a complete lack of attempts to comply will likely attract harsher penalties. A genuine attempt to comply however will likely be looked upon more favourably.

Further Advice and Information

If you would like advice or further information regarding the Regulations or just a informal discussion about any of the above please do not hesitate to contact us. Members of our commercial team would be pleased to speak to you. 

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.