Cookie compliance: an overview of new website requirements

Updated June 2011

All businesses which have a website need to start thinking about how they are going to comply with a new law which requires user consent to use of cookies. On 26 May this year, the law relating to cookies changed. Nearly all websites use cookies to track the interaction of users with their web pages. For example, cookies are used (amongst many other things) to track which pages website users have visited, to enable log-in procedures and to serve targeted advertising. 

Under the new law, use of cookies is only permitted with users' explicit consent. This is a change from the previous position, whereby website operators were permitted to install cookies on a users' computer as long as users had been given the opportunity to opt-out and had been provided with information about how those cookies will be used.

Since the new law came into force, the Information Commissioner's Office (ICO) has stated that website owners have up to 12 months to 'get their house in order' before enforcement of the new cookie law commences. The period is intended to allow time for the development of workable technical solutions to enable organisations to comply. The ICO has made it clear, however, that it will not condone organisations taking no action until May next year. The guidance stresses that "organisations should be taking steps to ensure they can properly comply with the revised rules for cookies". Warnings may be issued to organisations that are not making adequate preparations and such warnings will be taken into account if enforcement action (that may include a fine of up to £500,000) is required after May 2012.

When the forthcoming changes were initially announced it was suggested that a user's browser settings, set not to block cookies, might convey the required consent but, for the time being, the ICO has rejected this approach as a means of compliance. The reason for this conclusion is that the ICO considers that most browser settings are not sophisticated enough to demonstrate the requisite level of consent. Further, not all users who visit a website do so via a browser, for instance those who access via mobile phone. The guidance acknowledges that in the future there may be the possibility of relying on users' browser settings and that the government is working towards a solution, but for now, the technology is not yet available.

In suggesting how businesses should comply with the new requirements, the ICO's guidance makes it clear that businesses are expected to take a phased approach. Businesses are advised to:

• conduct an audit of where cookies are used and how they are used;
• assess how intrusive the use of a cookie is; and
• decide what solution to obtain consent is most appropriate to the circumstances.

The message is that there is a scale of severity - the more intrusive the cookie (that is, the more the use of the cookie relates to the user's personal information and will influence behaviour towards the user) the more care is required in bringing the user's attention to the purpose of the cookie and ensuring that express consent is obtained. Businesses will therefore need to consider an appropriate means of obtaining consent for each type of cookie used. Possible solutions suggested in the guidance include the use of pop ups, the use of terms and conditions and the use of scrolling text to draw users' attention to information about cookies.

If website operators allow third parties to place cookies on a users' equipment, the ICO's guidance indicates that the website operator and the third party will need to work together to ensure appropriate consent to use of such cookies is obtained. This will be particularly relevant where advertising agencies place cookies on websites in order to serve targeted advertising.

On a positive note for website operators, the guidance has accepted that consent is only required the first time that a cookie is installed rather than every time a user visits the website. Any changes to the purpose of the cookie will require further consent. There is also an exception to the rule requiring consent if the cookie is 'strictly necessary' for a service requested by the user, such as if it has been used as an online shopping basket to enable payment. This may, for instance be relevant to cookies stored when a user is making a reservation online, but the ICO has stressed how narrow this exception is and that the use of the cookie must be related to the service 'explicitly requested' by the user, so tailored advice should be sought.

To read the guidance, please see Related links.

TLT's Data Protection & Privacy team is offering a review service to assist you in identifying the best means of obtaining consent given the types of cookies used on your website. If you would like more information about the review service or have any queries about the forthcoming changes, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.