News of the new cookie regime is slowly filtering its way through to website owners, but whilst many have taken active steps towards compliance, many more have yet to take any action, despite new laws on cookies coming into force in the UK more than a year ago.

What are Cookies?

Cookies are small data files which most website operators place on the browser or hard drive of their user's computer. Cookies may gather information about the user's use of the website or enable the website to recognise the user as an existing customer when he/she returns to the website at a later date. They have also been used to collect information about the user which allows the website operator or a third party to create a profile of the user, his/her preferences and his/her interests for the purpose of serving the user with targeted, interestbased advertising.

What is the new Cookie Regime?

The new cookie regime has come about as a result of revisions to the EU Privacy and Electronic Communications Directive (2002/58/EC) as revised by the Citizen's Rights Directive (2009/136/ EC) and has been implemented in the UK through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations).

Under the revised Regulations the use of cookies is now, in most cases, only allowed if the user has given "informed consent". This will only be given if the user concerned:

  • has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
  • has given his/her consent.

This represents a substantial change from the previous regime which operated on the basis that cookies were placed on a user's machine unless and until such time as the user â€Üopted out' and requested them to be removed.

Why has the law changed?

The law has changed in an attempt to provide greater privacy for users of the internet which was prompted partly due to concerns about online tracking of individuals. The new regime will prevent information being stored on a user's computer and used to recognise them via the device they are using, without their knowledge and agreements.

When do you have to comply with the new regime?

The Regulations have been in force in the UK since 25 May 2011. The Information Commissioner's Office (ICO), which is responsible for enforcing the Regulations, granted businesses a lead in period of 12 months to allow them to develop ways of meeting the new regime as it understood that this was never going to be an easy task for businesses. This lead in period ended in May 2012 so all website owners should now be complying with the new regime.

What practical steps should you take?

Review the ICO Guidance

A useful starting point for businesses using or wanting to use cookies on their website is the 2012 guidance published by the ICO entitled "Guidance on the rules on use of cookies and similar technologies" (2012 Guidance).

Conduct a Cookie Audit

The ICO recommends conducting a cookie audit as the first step towards achieving compliance. The focus of your cookie audit should be to ascertain what cookies are operating on your website, the purpose of each cookie, what data each cookie holds, the type of cookie it is (persistent/ session), it's lifespan and whether it is a first party or third party cookie.

Provide Clear and Comprehensive Information to your Users about your use of Cookies

Information about cookies must be displayed on your website in a clear, user friendly manner. Your cookie audit will help you to identify the information that you will need to display. The ICO has suggested two main ways of displaying information about cookies:

  • by including a table or list of the cookies used on the website and their purpose in your Privacy Policy (may be appropriate for more technically savvy users); or
  • by including a broader explanation of the way cookies operate and the categories of cookies used on your website (may be more appropriate for the majority of users given the lack of knowledge and understanding of cookies).

Make sure you bring information about Cookies to your user's attention Information about cookies now needs to be brought to a user's attention when they access your website. A link to information on cookies must be prominently displayed.

Consider:

  • setting up a prominent link to a separate cookie policy;
  • including information on cookies in your Privacy Policy and renaming this your "Privacy and Cookie Policy";
  • placing the link to your cookie policy on the header rather the footer of the page; »» using different colours, fonts, mouse over highlights or an easily identifiable icon to link to information about cookies;
  • adopting short term measures such as news items and blog posts to draw the attention of users to your new cookie policy.

Obtain "opt in" consent to the use of cookies or consider whether you can rely on "implied consent"

The EU's Article 29 Working Party has made it clear that in order to achieve compliance with the new cookie regime website operators must obtain a user's consent to the use of cookies:

  • before the cookie is set; and
  • through an affirmative step on the part of the user.

This suggests that "opt in" consent to cookies must be obtained and makes it difficult for website operators to obtain consent in an "implied" way. However the 2012 Guidance published by the ICO suggests that implied consent (obtained through privacy policies or default privacy or browser settings) is a reasonable proposition in the context of the storage of or access to information when using cookies at least where non-sensitive personal data is concerned. However in forming this opinion, the ICO has taken a different view from the majority of data protection regulators in other member states as well as the Article 29 Working Party which ruled out the use of implied consent. Decisions to rely on implied consent should not therefore be taken lightly. One problem is that it could cause problems for UK website operators who place cookies on the equipment of non-UK EU citizens on the basis of implied consent. It will be important to continue to monitor developments in this area carefully.

Ways of obtaining "Opt In" Consent

The 2012 Guidance puts forward a number of practical ways in which affirmative consent to the use of cookies may be obtained, some examples of which are set out below.

  • Pop-up windows, splash pages or static information banners displayed in a prominent place on the website containing tick boxes for opt in consent. Note that once a user accepts the use of cookies, consent need not be sought every time a user enters a website.
  • Terms and Conditions and Privacy Policies - if your website asks users to tick a box to say they agree with your terms and conditions and privacy policy as part of the registration process, you may be able to gain consent to the use of cookies in this way if you place a cookie policy within these documents. However it is unlikely that this will be sufficient to comply with the new Regulations given that the level of awareness concerning cookies is extremely low. Note that if you do change your terms and conditions and privacy policy to deal with the new cookie regime, you will have to bring this to the attention of your users - you cannot rely on previous consent to those terms or policies.
  • Features and User's Preferences - In many cases, websites set cookies to remember preference settings specifically choosen by users or to enable value added features of the website. In such cases you may be able to obtain the users consent to the use of cookies when users make their choices about those preferences or functionalities.

The ICO has stressed that there is no â€Üone size fits all approach' and they believe that organisations themselves are best placed to develop their own solutions as they will know how and why their customers use their websites better than anyone else.

Relying on Implied Consent under the 2012 Guidance

The 2012 guidance issued by the ICO states that you can only rely on implied consent on the basis that:

  • it is specific and informed; and
  • there is some action on the part of the user from which consent can be inferred.

If you intend to rely on implied consent you must inform the user that a specific action on his part will be interpreted as him giving consent to the use of cookies. This needs to be "clear and relevant" and should result in a clear understanding between you and the user. Highly technical language should be avoided.

The 2012 Guidance confirms that if a website includes a clear and unavoidable notice that cookies will be used if the user enters the website and if the user, on that basis, clicks through and continues to use the website, this would be sufficient to imply consent.

Third Party Cookies

Third party cookies present difficulties and if third party cookies are used on your website you should consult the 2012 Guidance and seek further advice in respect of obtaining a user's consent to those cookies.

What are the consequences of failing to comply with the new Cookie Regime?

Where organisations refuse or fail to comply voluntarily with the Regulations, the ICO has a range of options available in order to take formal action which include, amongst other things, formal undertakings, enforcement notices and monetary penalties. However the ICO have indicated that their existing strategy on enforcement is focused on achieving compliance by the most appropriate means thus monetary penalties are only likely be used in very serious cases. Website owners are advised to continually monitor the new cookie regime and how it is adopted and enforced and comply with current practice as it develops

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.