Cookies - the new rules

The use of cookies has increased dramatically in recent years, with website owners finding new and more creative ways of exploiting them in order to assess users’ behaviour. The regulation of how cookies may be employed has recently been reviewed by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and the deadline for compliance with these new regulations is 25 May 2012.

A cookie is a small file of letters and numbers downloaded onto a device when a user accesses certain websites. Cookies allow a website to recognise a user’s computer/mobile etc, which can be useful in enabling a more customised setting for users.

The regulations came into effect on 26 May 2011 and govern the use of cookies and similar technology. Under these rules a browser may only set a cookie or similar technology where the user has:

been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
given his or her consent to this.

The consent must be explicit ie specific and informed based on the information provided. No longer is it adequate for a website to infer consent if a browser is not set to block a particular cookie.

Is consent required for all cookies?

The regulations provide for a limited exception to the consent rule where cookies are “strictly necessary”. This includes cookies that are:

set for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
strictly necessary for the provision of an information-society service requested by the subscriber or user.

The guidance issued by the ICO gives as an example of an exempted cookie a cookie which is used to enable an online checkout or payment system to function. The guidance also advises that this exception should be construed narrowly, so it is unlikely that this exception will be very useful for website owners.

How can consent can be obtained?

There a number of ways website owners can get their users’ consent to setting cookies and some of these are discussed in the ICO guidance. As a general rule they advise that the more intrusive the activity of the cookie, the more steps a website owner will need to take to get meaningful consent

Options for obtaining consent include:

pop-ups: perhaps the easiest way of getting a user’s consent, this is a direct way of getting a user to agree to cookies being placed. The ICO acknowledges however that this option may potentially spoil the experience of using the website and be very frustrating for the user if there are a large number of cookies.
terms and conditions: this can be a good way of obtaining consent where the user is required to subscribe to the site or register when making a purchase. The ICO guidance notes, however, confirm that to satisfy the new rules, existing users should be made aware of the changes and the cookies in use. For sites where users are not required to register and agree to terms and conditions, changes to the terms and conditions alone will not be sufficient.
settings-led consent: in situations where a cookie is required to ‘remember’ a setting selected by the user e.g. a colour scheme or language option, it may be sufficient to warn users that turning on this setting will place a cookie on their browser.
highlighted text: websites could perhaps ensure compliance by placing text in the header or footer of a webpage which is highlighted when a cookie is to be placed.

Steps to be taken

The ICO allowed websites a transitional period of 12 months in which to ensure compliance with the regulations. This means that by 25^th May 2012 website owners will need to ensure that their websites are compliant.

In assessing what measures to take, organisations should consider the following:

what type of cookies they use and how they are used
how intrusive those cookies are
what solution is best to obtain consent in the circumstances relating to their business.

Unresolved issues

One issue that remains unclear, despite ICO guidance, is exactly how compliance will be achieved with third party cookies. These are the cookies that are often used by advertisers when placing adverts on others’ websites. Although it is clear some collaboration will be required with the third party setting the cookies, it is still not certain how this will work in practice. We would recommend that businesses, for the time being, take reasonable and practical measures to work with third parties and at least draw to users’ attention the fact that third party cookies are being used, pending further guidance.

Although correct at the time of publication, the contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.

How can we help?

Please send us your enquiry in the form below and we'll get back to you as soon as possible

Forename Please enter your forename

Surname Please enter your surname

Email Please enter your email address

Telephone Please enter your telephone number

Area of Law

Please select which area of law your enquiry is related to

Your question Please enter a question

How did you hear about us?

Please let us know how you heard about us

I consent to receiving the occasional email regarding legal news, seminars and your other services which may be of interest.

Please enter the verification code

Cookies - the new rules

Provisional Road Injury Statistics for 2025 Released

Ex-husband's Share of Family Home Held by Trustees in Bankruptcy