What is the new cookies legislation? And does your website comply
with it? Kay Miles from our
Commerce & Technology Team look at cookies in further
detail.
Website owners must beware, the new cookies law is now in full
force and means that you must give your web users good information
about the cookies you want to use and, generally, you must obtain
their individual consent, before deploying any cookies on their
device. You can no longer just provide a link to your Privacy
Policy and give users the ability to "opt-out".
Cookies are small files of letters and numbers that website owners
store on users' browsers or the hard drives of their computers.
Cookies contain information that is transferred to the user's
computer hard drive.
Many websites use cookies in some form or another, whether to track
which pages visitors go to, to provide personalised information, to
assist the shopping process or for many other reasons. In the
past, you had to tell your website users that you were using
cookies and let them know how to "opt-out" and turn them
off but that was about as far as it went. That has all now
changed.
The new Regulations regarding cookies came into force in May 2011.
The Information Commissioner's Office (ICO) gave a
"lead-in period" of 12 months to allow organisations time
to put new processes in place to comply with the new legislation.
This period expired on 26 May 2012 and the ICO will now start to
enforce the legislation.
Cookies are now only generally allowed if the website user has:
- given express consent; and
- been provided with clear and comprehensive information about the purposes of such processing. The previous ability to just give users the right to opt-out of cookies is now gone and "opt-in" consent must now be obtained.
If your website uses cookies, you must comply with the new
Regulations and obtain explicit consent from each user as to the
use of any cookies. If they do not consent, you must have policies
and technical procedures in place to ensure that cookies are not
deployed for that user and that the user is clear about the
consequences of this (for example, if aspects of your website will
not work, or not work as well, without the use of cookies).
The only exception to the requirement for consent is if the use of
the cookie is "strictly necessary" for the service
requested by the user. This is a very narrow exemption and we
generally advise that obtaining explicit consent is seen as the
preferred option.
The ICO has published some useful guidance (which can be downloaded
from their website). This indicates that one of the
exceptions likely to apply is where a cookie is used to ensure that
when a user of a site has chosen the goods they wish to buy and
clicks the 'add to basket' or 'proceed to checkout'
button, the site 'remembers' what they chose on a previous
page. This cookie is "strictly necessary" to provide the
service the user requests (i.e. taking the purchase they want to
make to the checkout) and so the exception would apply and no
consent would be required. This exception could be relied
upon if this is the only use of cookies on your website.
Generally, however, if cookies are to be used, you need to decide
how best to obtain the explicit consent required. Where cookies are
only used with subscribed users then explicit consent could be
obtained in the contract or terms of use with the user and which
the user must accept before using your website. If cookies are used
with less restricted access, then you may need a "pop-up"
or clear header requiring a response from the user before any
further access is permitted or, at least, before any cookies are
deployed. In any case, clear information must be given about the
use of cookies, the information they will collect and what they
will be used for.
Compliance with this legislation is mandatory and you need to
decide the best way to do this for your business, including by
updating your privacy policy and your technical procedures. We can
assist with this and please do give us a call to discuss your
particular requirements.
This document is provided for information purposes only and
does not constitute legal advice. Professional legal advice should
be obtained before taking or refraining from taking any action as a
result of the contents of this document.