Complying With The New Cookie Regime

Recently, there have been some significant changes made to the rules on the use of internet cookies.  These changes affect organisations with a website, and require those organisations to obtain informed consent from website users in order to use cookies. 

A cookie is a collection of data which is implanted by a website operator onto the hard disks of devices of visitors to the site.   Cookies collect information about internet users, such as their names, addresses, email details, passwords and user preferences and are used by many organisations as an essential marketing tool.   While cookies and the information they transmit may not identify a living individual on their own, they may be able to do so in combination with other information held by the website provider.  

The new rules (the Privacy and Electronic Communications (EC Directive) Regulations 2003) came into effect from 26 May 2011.  The Information Commissioner’s Office (ICO) granted a year’s grace period before enforcing the new requirements and this period expires on 26 May 2012.  

After 26 May 2012, website operators must comply with the requirements for notice and consent when utilising cookies.   Obtaining the consent of website users is not a straightforward matter, especially from a practical perspective.  It has been indicated by the ICO that inferring the consent of users to the use of cookies simply by their continued use of the website will be insufficient.

The ICO has not endorsed any specific solution for complying with the Regulations but has instead produced guidance on the steps that organisations should take before the deadline.  These include conducting a “cookie audit”, assessing the privacy intrusiveness of the cookies used and deciding what level of information to provide to users so that they can understand clearly the potential consequences of agreeing to allow the cookies to operate on their devices.  

Breach of the Regulations allows the ICO to exercise a range of regulatory powers including enforcement notices, information notices and fines of up to £500,000.   

Organisations are urged to consult the ICO guidance and take legal advice on the use of cookies on their websites as soon as possible.