The recipe for complying with the new cookie regime

The Information Commissioner’s Office (the “ICO”) published, on the 13 December 2011, updated guidance on the steps website providers must take so to ensure compliance with the new cookie regulations. The main update is that website providers who wish to use cookies as part of their website operations must obtain user consent. We have listed below an overview of practical steps your business could take in order to comply with the new data protection regime governing the use of cookies.

New revised Regulations set out that the use of cookies is only permitted if the user has:

  • Given their consent.
  • Been provided with clear and complete information regarding the purposes for storing and accessing the cookie.

To facilitate this the ICO, as it recognises that new legal framework presents businesses with technical, legal and organisational challenges, has confirmed that it will permit a period of 12 months for organisations to develop ways of meeting the revised cookie requirements, this period will end in May 2012.

What is a cookie?
Businesses in the UK currently use cookies for reasons such as analysing consumer browsing habits to remembering a user’s payment details online. An online provider can implant a small text file (so called cookie) on the hard disks of visitors to the website. Consequently, information about the internet user such as his/her name, addresses, e-mail details, passwords and user preferences can be collected by the cookie.

Cookie Audit

To establish what type of cookies you are using and how privacy invasive they are you should perform a cookie audit by:

  • making a list of what type of cookies operate on your website
  • establishing the purposes of the cookies
  • establishing what data each cookie holds and whether the cookie is linked to other data held by you about a user
  • confirming the type of cookie and its lifespan
  • establishing whether it is a first-party or third-party cookie so to ensure legal compliance

User awareness and level of information
There is large level of information which must be provided by organisations to users regarding their use of cookies which many providers find daunting. The ICO has set out guidance to ensure ultimate user awareness. At ebl miller rosenfalck we aim to assist you in this by suggesting ways in which information may be set out to ensure user friendliness.

We could provide up-to-date legal support by: drafting a table/list of the cookies you use by setting out their purposes in your privacy policy or draft a broader explanation of the categories of cookies and explain how they operate. You can bring this information to the users’ attention by using:

  • prominent links
  • icons
  • blog posts
  • pop-up windows/splash pages
  • static information banners

Consent is when an individual knowingly indicates their acceptance through some form of communication. Consent could be gained by using the terms and conditions to which the user agrees when they first register or sign up to your website or, by using the user’s automatic preference settings on their browser. For such implied consent via the website operator’s terms and conditions to be valid, the purpose and the fact that cookies are being set must be fully understood by the user.

There are further planned revisions on the cookie regime so the practical means of achieving compliance within this area are likely to change as user awareness of cookies increases. We would therefore suggest that our clients ensure they keep themselves updated on developments in this area.

The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.

© , April 2012

Please contact:

Stuart Miller - Partner

DD +44 (0)20 7553 9936

View profile »