UK: Can You Still Have Your Cake And Eat It? (New Cookies Legislation)

What is the new cookies legislation? And does your website comply with it? Kay Miles from our Commerce & Technology Team look at cookies in further detail.

Website owners must beware, the new cookies law is now in full force and means that you must give your web users good information about the cookies you want to use and, generally, you must obtain their individual consent, before deploying any cookies on their device. You can no longer just provide a link to your Privacy Policy and give users the ability to "opt-out".

Cookies are small files of letters and numbers that website owners store on users' browsers or the hard drives of their computers. Cookies contain information that is transferred to the user's computer hard drive.

Many websites use cookies in some form or another, whether to track which pages visitors go to, to provide personalised information, to assist the shopping process or for many other reasons.  In the past, you had to tell your website users that you were using cookies and let them know how to "opt-out" and turn them off but that was about as far as it went.  That has all now changed.

The new Regulations regarding cookies came into force in May 2011. The Information Commissioner's Office (ICO) gave a "lead-in period" of 12 months to allow organisations time to put new processes in place to comply with the new legislation. This period expired on 26 May 2012 and the ICO will now start to enforce the legislation.

Cookies are now only generally allowed if the website user has:

• given express consent; and
• been provided with clear and comprehensive information about the purposes of such processing. The previous ability to just give users the right to opt-out of cookies is now gone and "opt-in" consent must now be obtained.

If your website uses cookies, you must comply with the new Regulations and obtain explicit consent from each user as to the use of any cookies. If they do not consent, you must have policies and technical procedures in place to ensure that cookies are not deployed for that user and that the user is clear about the consequences of this (for example, if aspects of your website will not work, or not work as well, without the use of cookies).

The only exception to the requirement for consent is if the use of the cookie is "strictly necessary" for the service requested by the user. This is a very narrow exemption and we generally advise that obtaining explicit consent is seen as the preferred option.

The ICO has published some useful guidance (which can be downloaded from their website).  This indicates that one of the exceptions likely to apply is where a cookie is used to ensure that when a user of a site has chosen the goods they wish to buy and clicks the 'add to basket' or 'proceed to checkout' button, the site 'remembers' what they chose on a previous page. This cookie is "strictly necessary" to provide the service the user requests (i.e. taking the purchase they want to make to the checkout) and so the exception would apply and no consent would be required.  This exception could be relied upon if this is the only use of cookies on your website.

Generally, however, if cookies are to be used, you need to decide how best to obtain the explicit consent required. Where cookies are only used with subscribed users then explicit consent could be obtained in the contract or terms of use with the user and which the user must accept before using your website. If cookies are used with less restricted access, then you may need a "pop-up" or clear header requiring a response from the user before any further access is permitted or, at least, before any cookies are deployed. In any case, clear information must be given about the use of cookies, the information they will collect and what they will be used for.

Compliance with this legislation is mandatory and you need to decide the best way to do this for your business, including by updating your privacy policy and your technical procedures. We can assist with this and please do give us a call to discuss your particular requirements.

This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this document.