UK: Privacy & Cookies

Last Updated: 15 April 2002
The commercial imperative to comply with best data privacy practice was recently illustrated in the settlement of the DoubleClick case. DoubleClick had to pay $1.8 million to settle actions arising from its improper use of information collected using "cookies". This article focuses on cookies, explaining what they are and what steps your organisation needs to take to use them safely.

Cookies: giving web sites memory

The Internet uses Internet Protocol (IP) numbers to route information. Every computer that is logged on to the Internet will have an IP number (effectively the computerís "street address"). However, a user accessing a web site will usually be anonymous to the web site owner unless he provides his name or email address (e.g. as part of a purchase or by subscribing). Collecting information about visitors is made even more difficult by the fact that most visitors do not have a static IP address - a visitorís Internet Service Provider assigns the visitor a new IP address each time he logs onto the Internet.

To overcome the anonymity associated with dynamic IP addresses, most web sites use cookies. A cookie is a small text file containing a unique identifier (e.g. a large number) assigned by the web site. The cookie is deposited on the hard drive of the web site visitorís computer when he accesses the site. At its simplest, a cookie enables a web site to "recognise" a repeat visitor whatever the IP address. For this reason, cookies have been described as giving web sites "memory".

The ability of a web site owner to link a cookie to information the web site collects about the userís previous purchases or visits provides a web site owner with an incentive to collect information relating to that user. This information may be actively provided by the visitor, such as names, email addresses and telephone numbers, or it may be collected passively e.g. information on which pages were viewed or whether the user visited the site via a search engine or directly.

Cookies allow a web site owner to personalise a userís experience of the site and to build up a "profile" of its visitors. Examples of personalisation include: ensuring that a visitor is not shown the same advertisement twice; making it unnecessary for a visitor to re-register or re-enter a password and suggesting new products chosen on the basis of a customerís previous purchases.

The UKís Direct Marketing Association describes cookies as "an integral information gathering tool for web traders" and states that "[cookies] are used to determine the most visited areas of a site and the browsing habits of users. This information in turn enables web traders to effectively plan their advertising and marketing strategy".

"Third-party" cookies, which do not originate from the web site being visited (but typically come from advertisers on the site) are often simultaneously placed on a web site visitorís computer hard drive. Whether "first-party" cookies or "third-party" cookies, in the vast majority of cases, cookies are used without the explicit approval of the relevant user.

There is a growing range of software products available which include features such as blocking cookies, allowing cookies to be deleted or including pop-up boxes to alert the user when a third-party cookie has been received by his computer.

Privacy and Cookies

The current position
As explained above, cookies are simply an identity tag to facilitate the collection of data from web site visitors and are not specifically referred to in the Data Protection Act 1998 or its underlying Directive (please click here for further information). Nevertheless, the requirements of the Act are likely to apply to the collection and use of personal data accumulated using cookies1. Once the web site owner has sufficient information to identify a particular user whose computer has accepted a cookie, then arguably that entire collection of data relating to that user will be personal data2. As can be seen from the definition in the Act, information easily becomes "personal data". The Information Commissioner has made it clear that, in the on-line world, personal data do not need to be "traditional" identifiers, such as name, address, etc., but only information that "uniquely locates [the user] distinguishing him...from others".

Data protection obligations regarding the use of cookies by a web site operator include the following:

  • Inform the web site visitor that cookies (or Ďtracking technologyí) enabling the collection of personal data (within the broad meaning of this term) are used on the site. The Information Commissionerís current view is that a site will not be compliant with the Act if this information is provided only in the privacy policy;
  • Ensure that visitors know who is the data controller of data collected using cookies (and generally)3;
  • Ensure that visitors know the purposes for which the information collected using cookies will be used;
  • Ensure that visitors are provided with any other information necessary in the circumstances to enable the processing to be fair;
  • If a third party data controller obtains a personís "profile" information other than from the individual himself, there is an obligation on the third party to ensure that the person knows the partyís identity, the purposes of the processing and any other information necessary for fairness;
  • Compliance with the other data protection principles in the Act. To test for this compliance, ask the following questions:
    • Will the data collected only be used for the purposes specified to the web site visitor?
    • Are the data collected excessive in relation to the purposes for which they are collected?
    • How long will the data be stored?
    • Are any of the data sensitive personal data, as defined in the Act (see case study below)?
    • Will data be transferred outside the EEA to countries lacking adequate protection?
    • Does your privacy policy explain that advertisers may also send cookies?

The Future - Too Many Cooks leading to Half Baked Notions?

The European Parliament is in the process of enacting a new Directive on the processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the "Privacy Directive") aimed at regulating practices, such as the use of cookies and unsolicited commercial emails or "spam".

In November 2001 the European Parliament voted to accept an amendment to the draft Privacy Directive making it unlawful to place cookies on usersí computers without their explicit consent i.e. an opt-in system. ("The Cookie Crumbles" by Mark Turner and Mary Traynor provides more background on the initial debate, click here).

However, on 21 January 2002, the Council released its amended version of the draft Directive which provides for a modified opt-out system for cookies (Please click here to access The Council's updated text of the Privacy Directive). The Councilís draft provides only that the recipient must be given sufficient information, and the opportunity to refuse (i.e. opt-out). The UK Information Commissioner is known to be in favour of an opt-in system for cookies.

Here, too, support is divided between opt-in and opt-out, with the European Parliament in favour of letting each Member State choose between an opt-in and an opt-out rule. However, European ministers responsible for telecommunications took a strong stance in favour of the opt-in rule during a recent meeting of the European Council. They wanted to limit the opt-out approach to the situation where a supplier which has previously obtained a consumer's contact information through a pre-existing commercial relationship wishes to send its client further commercial offers.

The Councilís amended version of the Directive provides for an opt-in system for spam (although, where customers have previously consented to direct marketing, an opt-out system will apply).

In summary, the views of the European Parliament and the Council are as follows:

Parliament Council
Cookies opt-in opt-out (provided recipients are given sufficient information)
Spam individual Member States to decide between opt-in and opt-out opt-in (an opt-out system may operate for existing customers)

The European Parliament must now either reconsider its view or ratify the revised text. In a recent communication to the European Parliament the Commission has made clear its support for the views of the Council and has asked the Parliament for a rapid agreement on the proposed Directive, as it is the only outstanding element of the new telecoms package.

1Web sites operated within the UK will be covered by the Act. Even a web site established outside the EEA could be subject to the Act if, for example, the site is hosted in the UK or where a cookie is placed on the computer of a UK internet user to create a profile of that userís on-line behaviour.
2Personal data are defined as data which relate to a living individual who can be identified from those data (alone) or those data and other information in the possession of, or likely to come into the possession of, the data controller.
3These provisions are found at paragraph 2 of Part II, Schedule 1 and Section 7 of the Act.

Case Study: Bliss Records and Banner Advertising

We thought readers would find it helpful if we illustrated the above principles by reference to a hypothetical case study.

Bliss operates a highly successful online business selling books, CDs and DVDs. Part of its success is due to its use of technology to personalise the shopping experience for regular customers. Based on past usage patterns, a customer returning to the Bliss web site will be greeted by the "member name" chosen by the user and will automatically be recommended new books and music. The web siteís popularity has also enabled Bliss to earn a moderate revenue stream from advertising. Banner Advertising pays Bliss a monthly fee for the right to place banner advertisements on behalf of a number of its clients at the top of each page on the Bliss web site.

Every time a user visits the Bliss web site, the site checks the userís computer to see if there is a Bliss cookie. If it finds one, Bliss will then add information about that visit to all the other information in its database that corresponds to that cookie. If there is no cookie, the web site will post one to the userís computer.

Banner Advertisingís clients also send the customer cookies when a user visits the site.

The effect of the Data Protection Act 1998
Bliss is processing the information it collects via the cookies to tailor the web site to the individual visitor. The Act requires that personal data be processed fairly and lawfully. There may also be some "sensitive personal data" collected e.g. the customerís selection of CDís, DVDs and books may indicate particular political opinions, religious beliefs or sexual preferences. The Act imposes more stringent requirements in relation to the processing of sensitive data.

Consideration should also be given to the compliance of Banner Advertisingís clients with the Act, given that they are also likely to be collecting personal information using cookies. This will be especially relevant if there is any agreement in place for Bliss and Banner Advertising to share customer data. Bliss should alert visitors at the time they come onto the site to that fact that cookies (including third-party cookies) will be sent. This information should not just be included in Blissís privacy policy.

The impact of the proposed Privacy Directive
If the EU Parliamentís opt-in system is adopted, it will require Bliss to obtain the consent of each customer to the use of cookies before they are used. Understandably, most industry participants would not like to see that view prevail.

Alternatively, if the EU Councilís modified opt-out system is used, clear and precise information about the use of cookies will need to be shown to the customer the first time that they use the web site. Cookies can then be used unless the customer specifically requests not to receive them.

Regardless of which view prevails, Bliss would also need to consider the compliance of Banner Advertising when the proposed Privacy Directive enters into force.

Data Protection Act compliance and cookie usage will affect the vast majority of web sites. Most web sites, even corporate web sites that only provide information and do not sell any goods or services, use cookies to collect information about users.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think youíve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaqís use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributorís own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaqís Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaqís Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaqís right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions