Changes to the Rules on using Cookies
Reviewed June 2011
Please note that this Briefing Note is not maintained, and reflects the law as at the date of publication or update
This Briefing Note, based on guidance issued by the Information Commissioner’s Office (ICO), sets out how your business should obtain consent from visitors to your website to store or retrieve information from users’ computers or mobile devices. This briefing note should not be relied upon as legal advice and you should contact us for advice on your specific circumstances.
What are the changes?
- A new law came into force on 26 May 2011, requiring your business to obtain consent from visitors to your website to store or retrieve usage information from users’ computers or mobile devices.
- Previously, your business could simply tell visitors how you used cookies and how they could “opt-out” if they objected. Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of “opting out”.
What are cookies?
- Analysing their on-site browsing habits.
- Remembering a user’s payment details when buying products online.
While cookies and the information they transmit may not be able to identify a living individual on their own, they may well be able to do so in combination with other information held by the recipient of the transmitted information or a third party.
Are there any exceptions to the new rules?
There is only one exception to the new consent rule. Your business will not need to get consent for an activity that is “strictly necessary” for a service requested by the user. For example, you would not need consent for a cookie which your business uses to ensure when a user of your site has chosen the goods they want to buy and clicks the “add to basket” or “proceed to checkout” button, your site “remembers” what they chose on a previous page.
What steps can my business take now?
- Check what type of cookies your business uses and how they are used. You should analyse which cookies are strictly necessary and may not need consent. Your business could also use it as an opportunity to clean up your web pages and stop using any cookies that have been superseded as your site has evolved.
- Decide what solution to obtain consent will be best in your circumstances.
Can browser settings be used to indicate consent?
- Most browser settings are not sophisticated enough to allow your business to assume that the user has given their consent to allow your website to set a cookie.
- Not everyone who visits your site will do so using a browser (for example, they may have used an application on their mobile device).
What other options are there for indicating consent?
Your business needs to provide information about cookies and obtain consent before a cookie is set for the first time. If you get consent at this stage you will not need to so again for the same person each time you use the same cookie (for the same purpose) in future.
Many websites routinely use pop-ups or “splash pages” to make users aware of changes to the site or to ask for user feedback. Similar techniques could, if designed correctly, be a useful way of informing users of the techniques your business uses and the choices they have.
Terms and conditions
- You will need to gain a positive indication that users understand and agree to the changes (for example, by asking the user to tick a box).
Some cookies are deployed when a user makes a choice about how the site works for them. Consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work. For example, some websites register which version a user wants to access (such as a version of a site in a particular language).
Some objects are stored when a user chooses to use a particular feature of the site (for example, watching a video clip). In these cases, presuming that the user is taking some action to tell the webpage what they want to happen (for example, by clicking a link), your business could ask for their consent to set a cookie at this point.
- Your business may often collect information about how people access and use your site in the background and not at the request of the user. This type of activity will still require consent.
- You should consider how you currently explain your policies to users and make that information more prominent.
- Provide more details about what your business does (for example, a list of cookies used with a description of how they work) so that users can make an informed choice about what they will allow.
- Your business could, for example, place highlighted text in the footer or header of the web page or which turns into a scrolling piece of text when you want to set a cookie on the user’s device.
Third party cookies
- If your website displays content from a third party (for example, from an advertising network) this third party may read and write their cookies onto “your” user’s devices.
- If your website allows or uses third party cookies you should make sure your business is doing everything it can to get the correct information to users to enable them to make an informed choice about what is stored on their device.
What are the penalties for failing to comply?
- If the ICO receives a complaint about your website, your business would be expected to respond by:
- setting out how you have considered the complaint; and
- providing a realistic plan to achieve compliance.
- The ICO has already indicated in a speech earlier this year, that businesses should not use this initially relaxed approach as a free pass to do nothing. The enforcement regime is likely to be strengthened once the government has more clarity on what can be done with browser setting and other applications.
- The ICO will issue separate guidance on how it intends to enforce the new regulations in the near future.