Home    |    Get in touch    |   Extranets   |    Accessibility
   |  Aa  Aa  Aa
Want to know more?
Further information can be found in Practice Areas:


Tip: To search for an exact phrase or word please put entry in quotation marks

Advanced keyword search


Tip: Use this option to look for an exact phrase, the Practice Area or Sector the subject relates to, or by which medium it was distributed.

Hide advanced search

New Rules for Using Cookies: A Recipe for Confusion?

The law regarding the use of cookies changed on 26 May 2011 when the Privacy and Electronic Communications Regulations 2003 were amended to bring the UK into line with the changes made to the original EC Directive in this area. Despite uncertainty over how best to address these changes in practice and the promise of greater clarity in the future, owners and operators of websites should be taking action now to comply with the new rules.

What are cookies?

Cookies are small text files which websites use to track and record information about user's behaviour and site visits. The Information Commissioner's Office (ICO) has warned that organisations using cookies will need to take active steps to comply with the new requirement to obtain the consent of users.

Cookies and consent - how has the law changed?

Prior to the changes on 26 May 2011, the law provided that organisations using cookies had to provide clear information to users on how they used cookies and how those users could 'opt out' if they objected. For most websites this simply meant putting appropriate information on the use of cookies in the website privacy policy, including the ability of a person to 'opt out' of such use.

The new law means that organisations using cookies are required to obtain the consent of users to place cookies on machines. The only exception to the new rule is if a cookie is 'strictly necessary' for the task which the user has asked the website to perform. This exception will be interpreted narrowly, for example a cookie which is used to 'remember' what a person has ordered on a website, when moving to the checkout page.

How do I ensure that my organisation is compliant?

The ICO has issued guidance on its website (www.ico.gov.uk) on how to comply with the new rules. However it is not quite as helpful as ICO guidance normally is. This is because implementation of the new rules has taken place before technical solutions to achieve compliance are available. Prior to the implementation of the new rules it was felt that more sophisticated browser settings would in most cases be sufficient to obtain this consent. Unfortunately such settings do not currently exist, so while discussions at UK and EU level are taking place with browser manufacturers, there is currently no such solution generally available just now.

The ICO guidance therefore stresses that it is for the website owner or operator to assess what needs to be done to achieve compliance with these new laws. The more intrusive the use of cookies then the greater the priority in getting what the ICO calls "meaningful consent" to that use.

The ICO guidance covers a range of options which all can be used to achieve compliance. As well as browser settings, the ICO suggests the use of pop ups, or requiring users to accept terms and conditions which properly explain the use of cookies. It also suggests obtaining consent as part of the website settings which a user may be asked to choose from.

What will happen if my organisation does not comply with the changes?

Perhaps not surprisingly given the lack of clarity on compliance and the absence of suitable technical standards to achieve it, the ICO is taking a fairly sympathetic view on enforcement. It has said that it will take a proportionate view of any non-compliance and will focus on instances where breach has caused detriment to consumers. It has also indicated that it will allow a bedding in period of 12 months to enable organisations to work out how best to comply with the new laws - and no doubt to see if new technical standards are available in this time.

This period mirrors the recent comments of the European Commissioner who challenged all interested parties to come up with a uniform technical standard which will provide users with a simple way to opt out of cookies, but which also allow website operators to comply with the new rules.

Hopefully such a technical standard will be developed soon, but in the meantime organisations should consider their use of cookies carefully and make sure that they are taking appropriate steps to obtain user consent.

If you have any queries about the use of cookies by your organisation, please contact Alison Bryce

© Copyright 2016MMS / Maclay Murray & Spens. All Rights Reserved.