If so were you aware of the new legislation in relation to the use of Cookies on websites?

What are Cookies?

A cookie is a small text file implanted by a website operator or online advertising network on the hard disks of visitors to the site (often without their knowledge). Cookies are used to collect information about internet users, such as their names, addresses, e-mail details, passwords and user preferences. This information when used in conjunction with other information in the possession of the website operator can help to identify an individual and so can amount to Personal Data as defined in the Data Protection Act 1998.

We were getting used to the legislation around opt in consent for email marketing but recent revisions to the Privacy and Electronic Communications Regulations 2003 (SI 2426/2003) (2003 Regulations) through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208).

The new legislation now provides that the use of cookies is only allowed if the user concerned:

  • Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
  • Has given his or her consent.

(Regulation 6(1) and (2), revised 2003 Regulations.)

The issue is that there is not a definition of consent although guidance suggests the consent must be freely given, specific and informed. Consent must also be appropriate to the age and capacity of the individual and to the particular circumstances of the case.

Guidance also suggests that consent must be obtained before the Cookie is planted and organisations have until May 2012 to ensure that they are compliant.

Some of the suggestions being put forward by the ICO guidance (Guidance) as to how to achieve compliance include:

  • Pop—ups and similar techniques. Online providers could obtain user consent by including express consent provisions with tick boxes in pop-up windows. Although this is the simplest option to achieve compliance, there is general agreement that this would be unpopular with users as it would spoil a user’s experience of using a website if several cookies are used. This way of obtaining consent might also be impractical as many users employ pop—up blockers and would therefore be unlikely to see the pop—up windows.
  • Terms and conditions.Website operators may be able to gain consent online using the terms of use or terms and conditions to which the user agrees when they first register or sign up. If users have already consented to the terms of use when they first registered online, the organisation must make them aware of the changes to its terms in relation to the use of cookies. The Guidance recommends that website operators should obtain a positive indication (possibly through use of a tick box) that users understand and agree to the changes.
  • Settings—led consent.Some cookies are deployed when a user makes a choice about how the website works for them, There is a suggestion that consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
  • Functional uses.The Guidance explains that an analytic cookie, which collects information about how people access and use a website, might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent, perhaps with a list of them and description of how they work. Text could be placed in the footer or header of the web page, which is highlighted when an organisation wants to set a cookie on the user’s device, prompting the user to read further information (which might, for example, be made available on the privacy pages of the website) and make any appropriate choices.

The above relate to direct cookies however there are also issues in relation to cookies placed by third parties such as third party advertisers on a website.

Next Steps

The ICO has suggested that organisations should:

  1. identify where and when they use cookies and what type of cookies they are;
  2. identify how intrusive the cookies are as the greater the amount of intrusion the greater the need for consent; and
  3. formulate strategy for obtaining consent.

Jordans can help with a review of your website to ensure it is legally compliant and to update your terms and conditions and privacy policies in light of the new legislation. For further information please contact Cathy Cook at Jordans Solicitors Wakefield offices in  West Yorkshire.

More guidance and help can be found in this PDF.

Related Blog Articles