The Regulations do not use the term “cookie”2 but it is generally acknowledged that cookies are the most common technology captured by the relevant requirements. A cookie is a small text file stored by a web browser and containing information about a user’s visit to a website. Cookies may be “session” based (meaning they expire when you close your browser) or “persistent” (meaning they are remembered on subsequent visits).
The key requirements under the Regulations are that users must:
(a) be provided with clear and comprehensive information about the purposes of the cookie; and
(b) have given their consent to the use of the cookie.
The appropriate method(s) by which information is given and consent obtained has been the topic of much consideration and debate within business forums since the introduction of the new law. The method may vary from case to case, depending on the nature of the cookies being used, how intrusive they are on the privacy of the user, and what is clear and practical for the website in question. A couple of specific considerations:
(a) Providing information
(b) Obtaining consent
To constitute an effective consent, a user must fully understand that they are giving consent and to what they are giving consent. Options to obtain consent may include a specific pop-up on cookies, or, if a cookie is being created as part of a new website feature, combining cookie consent with the notification/acceptance of the feature. Consent could be obtained as part of acceptance of other terms and conditions relating to the website, as long as the information provided is sufficiently obvious and clear.
The Regulations provide that consent may be signified more generally by internet browser settings or other applications. However, the Information Commissioner’s Office has indicated that most browser settings are not yet sophisticated enough in terms of ensuring that users have clearly considered their options. Therefore, for now, relying solely on browser settings will not be sufficient for compliance4.
There are limited exceptions to these requirements, including where the cookie is strictly necessary (N.B. “necessary” not “desirable”) to provide an online service requested by the user. For example, this may apply where it is necessary to use a cookie to remember what a customer has placed in their “shopping basket”.
To the extent you use a third party to develop or maintain your site, or include third party advertisements or materials on your website (or vice versa), you should ask them what cookies may be included and user information may be obtained, so that these form part of your compliance considerations. Similarly, if you provide materials relying on cookies to third party web publishers, you may wish to work with them to provide required information and obtain consents. You should also look to address privacy compliance issues in the terms of your agreements with all such third parties.
The Information Commissioner has acknowledged that there is a challenge in compliance; however, as noted above, he will expect compliance measures to have been taken by May 2012. If it is not an issue you are already addressing, then it would be prudent to get started to avoid the risk of enforcement action against you later this year.
Olivia Whitcroft, principal of OBEP, 21 January 2012
1 See December 2011 ICO news release at: http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.
2 The relevant provision of the Regulations is that “a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements...are met.”
3 See, for example, study conducted by PricewaterhouseCoopers LLP, dated April 2011: http://www.culture.gov.uk/images/consultations/PwC_Internet_Cookies_final.pdf
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details