Update: Implementation of new browser cookies requirements
This update provides a brief outline of recent changes to the laws governing the use of website cookies and why it is important to start complying with these rules now. For an extract from our previous update on cookies, which provides the background to this update, please click here.
What are cookies?
A cookie is a small file, downloaded on to a device when a user accesses certain websites. Cookies collect information about website users, such as their names, addresses, passwords and other user preferences. They are useful for website operators because they allow a website to recognise a user's device, such as remembering what a user has put in their shopping basket as they browse the website and what browsing preferences a particular user has.
The current law
A year ago the laws governing the use of cookies by a website operator, as a method of gathering information about the website user, were changed across the European Community. Under the new legislation website operators are required to:
1) clearly and comprehensively inform users of the purpose behind the use of cookies on their website; and
2) obtain the user's permission before storing any cookies on the user's device (such as a computer or mobile device).
The major change brought about by the new law is that website operators are now required to obtain the user's consent before storing cookies on the user's device. Previously, website operators were only required to inform users of how cookies were used and how the user could disable cookies if they objected to their use.
Why is this relevant now?
The new rules are relevant now because they are being implemented in the UK from 26 May 2012 onwards.
Although these rules officially came into force on 26 May 2011, the Information Commissioner's Office (ICO) (which has responsibility for enforcing the law on cookies in the UK), agreed to give website operators a 12 month lead-in to comply with the new rules. The ICO is now able to take formal action for any website operators not complying with the rules.
The ICO's approach
The ICO is giving mixed messages on how strictly it intends to enforce the new rules. For example, in its latest guidance note the ICO has softened its approach to consent by stating that it will permit implied consent from users rather than requiring the user to make an explicit decision on whether to opt in or out of cookies. However, as the lead-in period has come to an end the ICO will expect website operators to be compliant, or at least to be moving towards compliance, with the new rules.
Whilst the ICO is empowered to issue fines up to a maximum of £500,000, it has stated that its preferred approach is to issue binding undertakings with which website operators must comply. Although these penalties will be reserved for the most serious breaches, website operators should now ensure that their websites incorporate an appropriate method of obtaining the user's permission in order to comply with the law. There has been a fair amount of press coverage in the UK recently regarding businesses either complying or overtly stating that they are not going to comply with the new rules, for reasons which tend to focus on the impracticality of compliance and the disruption to the browsing experience which compliance with the legislation would cause. As fair or reasonable as these reasons may be, we do not recommend that any business fails to comply with its legal obligations, at least to the minimum extent required.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
