New Cookies Regulation

June 3, 2011

The law on cookies changed on 26 May 2011. However, the new law was only passed by Parliament three weeks beforehand so website operators have had little time to work out what changes they need to make and to implement them.

Because of this, Christopher Graham, the UK’s Information Commissioner (ICO), confirmed that he will allow a grace period of one year for businesses to comply with the new regulation. However, at the same time he has warned that this does not mean that businesses can ignore the issue for a year:

“We’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

This briefing note looks at what the change in the law means, and what website owners should be doing to comply with the change.

Current legal position

The use of cookies is regulated by the Privacy and Electronic Communications Regulations which came into force in 2003 implementing an EU Directive (the “Regulation”).

The Regulation provides (paraphrasing) that a person shall not store information, or gain access to information stored, in the equipment of a user unless the user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • is given the opportunity to refuse the storage of or access to that information.

The Regulation does not specify how this information should be provided. Up to now, a privacy or cookies policy on the website, setting out information about the existence of cookies, has been regarded as sufficient.

Furthermore, the Regulation does not specify how users can refuse a cookie. Up to now, the requirements have been met simply by providing information as to how a user may configure his or her browser, as browsers have customizable settings to enable the user to set generic cookie preferences.

Cookies

The Regulation affects all cookies and similar tracking devices such as web beacons. It applies to session cookies (which do not retain any data from one visit to a website to the next) and to persistent cookies (which enables a website to remember you on subsequent visits).

The Regulation also applies to any “information” - even if the user cannot be identified from it - and not just to “personal data”. Where a cookie involves personal data, then the requirements of the Data Protection Act will apply in addition to the Regulation.

Some cookies are more invasive from a privacy perspective than others. For example, a third party cookie that tracks a user’s browsing over multiple websites so as to deliver targeted behavioural advertising is more sensitive from a privacy perspective than a cookie that simply enables a website to generate statistics about its usage. Nevertheless, the Regulation applies equally to all cookies.

The change

The main change to the Regulation is that a cookie may only be used if users have given their consent, having been provided with clear and comprehensive information about the purpose of the cookie.

In essence, this is a move from an “opt-out” to an “opt-in” approach. Whereas previously it was sufficient for websites to notify users of the use of cookies and provide information about how these could be disabled through browser settings, the new requirements are more extensive.
Coinciding with this amendment, the enforcement powers of the ICO have been increased. He can now impose fines up to £500,000 for serious breaches of the Regulation.

Consent

While it sounds reasonable to suggest that users should consent to a cookie, in reality it can be difficult to get consent.

Under data protection laws, consent must be “freely given, specific and informed”. In other words, the user needs to know exactly how the data concerning his or her browsing habits are to be collected, analysed, stored and used. While this can be explained in the website’s terms and conditions or privacy policy, inevitably these documents are detailed, legalistic and complex. Most consumers do not read them, or only do so superficially, and that can hardly be a basis for informed consent.
The central issue, therefore, is how consent can be obtained in a manner which will be compliant with the amended Regulation.

Exemption

The only exemption, where consent is not required, is where the cookie is “strictly necessary” to provide a service "explicitly requested" by the user. This exemption is limited in scope because “strictly necessary” means that the use of the cookie has to be essential, rather than desirable or reasonably necessary. The exemption could apply to cookies for shopping baskets, which are strictly necessary to complete a purchase the user is making, but would not apply to cookies for (for example) advertising, which is not “explicitly requested” by the user.

Guidance

The ICO has acknowledged that obtaining consent can be challenging and has issued some preliminary guidance setting out some options.

  • Audit:  The first step for website owners is to carry out an audit to assess what cookies they use and the purposes of each. Where third party cookies are used – for example, cookies set by affiliate networks used for targeted behavioural advertising - the situation is more complicated; the website owner will need to work with the third party to ensure that appropriate information is provided to users and to ensure that cookies are served only once accepted.
  • Amend privacy policies:  Armed with this information, the privacy / cookie policy will need to be amended to include clear and comprehensive information about all cookies used.

Inevitably, the method that is chosen for eliciting consent will affect the user experience.
Pop-ups:  Although pop-up boxes are a way of obtaining consent, they are disruptive and may deter users. Also, many users opt-out of pop-ups.

  • Registration / T&Cs:  For websites that register users, consent can be sought in the terms and conditions to which the user will agree, provided that clear and comprehensible information is provided. Meanwhile, cookies should not be served to users who have not given consent.
  • Communication with updated T&Cs:  For websites with existing users, one option is to update the T&Cs and privacy policy and then send a communication to all users to advise of them of the changes, and to request opt-in consent. The difficulty is that many users may not respond or, if they respond, may not elect to opt-in. For those users, non-essential cookies will have to be switched off.
  • Website settings:  Consent through website settings is a good option for websites where users can manipulate their privacy settings at a granular level, enabling the website to personalizes the site to the user.
  • Banner:  Using a banner or prompt on the page to solicit consent may be a simple and convenient option for many websites. Seeking to lead by example, the following notice appears on the ICO website:

“On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.

¨I accept cookies from this site.”

The non-essential cookies are not served to the user, unless and until the user ticks the “accept” box when the cookies are served and the notice is cleared from the page.

Consent though browser settings

Although the Regulation states that consent may be signified by setting controls on the browser or other application, current guidance is that it is not sufficient to rely on browser settings to infer consent. This is because browser software is not sufficiently sophisticated to enable users to manage cookies individually. Users cannot be deemed to have consented to a specific cookie simply because they do not change default browser settings or because they make generic changes to settings so as to accept certain types of cookies in bulk.

The government is working with browser manufacturers to develop settings which would meet the requirements of the Regulation.   However, this is likely to take some considerable time to develop and, once developed, roll out. Moreover, websites can be accessed from multiple platforms and versions; for the immediate future, it is likely that websites will have to obtain consent in some other way.

The way forward

It is easy to be critical about the haphazard way in which this legislation has been introduced. However, there is no escaping that businesses must take steps to comply and not rely on the grace period. There are good business reasons to do so. Consumers are increasingly concerned about the privacy of their personal information and are suspicious of technologies that track their online behaviour. Corporate reputations and goodwill can be seriously damaged if a business falls short of privacy standards. Businesses that take privacy seriously can build trust by demonstrating good corporate governance and have much to gain.


Related pages:

Data protection privacy & emarketing more

Data Protection, Privacy and emarketing more

Technology, Media & Digital more

icons Addthis Print Contact Register

Contact

tel: +44 (0) 20 7628 2000
10 Finsbury Square, London, EC2A 1AF
View map

Accreditations

  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze