What is the new cookies legislation? And does your website comply
with it? Kay Miles from our
Commerce & Technology Team look at cookies in further
Website owners must beware, the new cookies law is now in full
force and means that you must give your web users good information
about the cookies you want to use and, generally, you must obtain
their individual consent, before deploying any cookies on their
device. You can no longer just provide a link to your Privacy
Policy and give users the ability to "opt-out".
Cookies are small files of letters and numbers that website owners
store on users' browsers or the hard drives of their computers.
Cookies contain information that is transferred to the user's
computer hard drive.
which pages visitors go to, to provide personalised information, to
assist the shopping process or for many other reasons. In the
past, you had to tell your website users that you were using
cookies and let them know how to "opt-out" and turn them
off but that was about as far as it went. That has all now
The new Regulations regarding cookies came into force in May 2011.
The Information Commissioner's Office (ICO) gave a
"lead-in period" of 12 months to allow organisations time
to put new processes in place to comply with the new legislation.
This period expired on 26 May 2012 and the ICO will now start to
enforce the legislation.
Cookies are now only generally allowed if the website user has:
given express consent; and
been provided with clear and comprehensive information about
the purposes of such processing. The previous ability to just give
users the right to opt-out of cookies is now gone and
"opt-in" consent must now be
Regulations and obtain explicit consent from each user as to the
use of any cookies. If they do not consent, you must have policies
and technical procedures in place to ensure that cookies are not
deployed for that user and that the user is clear about the
consequences of this (for example, if aspects of your website will
The only exception to the requirement for consent is if the use of
the cookie is "strictly necessary" for the service
requested by the user. This is a very narrow exemption and we
generally advise that obtaining explicit consent is seen as the
The ICO has published some useful guidance (which can be downloaded
from their website). This indicates that one of the
exceptions likely to apply is where a cookie is used to ensure that
when a user of a site has chosen the goods they wish to buy and
clicks the 'add to basket' or 'proceed to checkout'
button, the site 'remembers' what they chose on a previous
page. This cookie is "strictly necessary" to provide the
service the user requests (i.e. taking the purchase they want to
make to the checkout) and so the exception would apply and no
consent would be required. This exception could be relied
Generally, however, if cookies are to be used, you need to decide
how best to obtain the explicit consent required. Where cookies are
only used with subscribed users then explicit consent could be
the user must accept before using your website. If cookies are used
with less restricted access, then you may need a "pop-up"
or clear header requiring a response from the user before any
further access is permitted or, at least, before any cookies are
deployed. In any case, clear information must be given about the
will be used for.
Compliance with this legislation is mandatory and you need to
decide the best way to do this for your business, including by
assist with this and please do give us a call to discuss your
This document is provided for information purposes only and
does not constitute legal advice. Professional legal advice should
be obtained before taking or refraining from taking any action as a
result of the contents of this document.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The date of the first binding vote by the Civil Liberties, Justice and Home Affairs Committee (LIBE) on the proposed General Data Protection Regulation (Regulation), which was initially planned for April-May 2013, has been postponed a second time.
Sam Allardyce recounted a humorous tale which re-enforced how important it is to have the right facts and figures at your disposal, and the importance of controls in establishing a trustworthy dataset.
The Court of Appeal has concurred with the High Court that the publication of private information relevant to an individual's character was justified where the public was entitled to consider his fitness for high public office.
When an organisation collects personal data about an individual, that individual has certain expectations about the purposes for which the data will be used.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”