Financial & Legal News

Changing the way the cookie crumbles – are you compliant?

  • Posted on

Back on the 26 May 2011 the EU passed some amendments to the Privacy and Electronic Communications Regulations, further expanding its attempts to protect user privacy on the internet. However, the requirements were given a grace period of 12 months before they came into effect. That means that website owners should have become compliant by 26 May 2012 – are you?

The Information Commissioner's Office defines cookies as:

“A small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device

“The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).

Changes to EU regulations

The key change in the wording of the Regulations is that whereas previously it was acceptable to assume that a user is happy to have a cookie from your site downloaded to their machine as long as you gave them a way of opting out, now it is a legal requirement to get consent before you can store a cookie.

There are, however, a few examples of exemptions to this requirement. The biggest is that cookies used to track goods being added to a shopping basket are considered to be strictly necessary and therefore exempt from the new rules.

What you need to do

The ICO advises taking a “cookie audit” which should entail looking at where and why you use cookies on your site. Once you’ve done this and assessed which ones you need and which are no longer serving a valid purpose, you can take action.

The first step would be to include more detailed information for website visitors about what data you are monitoring, and then obtain the person’s consent to store your cookies on their machine. This can be done by providing a tick box to check.

Getting consent

To be certain that visitors know they are being tracked, a website will need to provide some kind pop-up or other attention-grabbing dialogue which explains the use of cookies and then asks for their consent.

A user visiting a site subsequently will not need to re-enter their consent to cookies as the information will already be stored. Any user not accepting our cookies will have a “Please let us monitor you” alert flash at them each time they arrive at the site.

An alternative to this is to show a display once and then assume consent. However the ICO says that, as knowledge about the extent of cookie tracking is so low, it is not acceptable to do this.

Why does it matter?

There are several reasons why it is a valid concern to UK businesses:

  • It is the law;
  • Your competition will be complying. Customers shop around and if a website is ‘behind the curve’ they may perceive you as either outdated, or as a company that is trying to ignore their rights;
  • The ICO can impose a fine of up to £500,000 on an organisation it deems to have “seriously contravened the regulations”.

However, the ICO has put together a very detailed guide explaining the changes in the law and giving some examples and suggestions of both exemptions and possible solutions to the issue.

Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.

This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.

    How can we help?

    Please fill in the form and we’ll get back to you as soon as we can.