What is a Cookie?
At its simplest, a cookie is a string of data (usually letters and numbers) which, by being stored on a particular device accessing a website, functions as a unique identifier for it. Cookies are responsible for much of the website functionality that is both popular and taken for granted. For example, cookies will can save users the time and trouble of re-entering site preferences or delivery addresses every time they access a favourite site.
Cookies can be used for various (and sometimes multiple) purposes, but they can broadly be categorised as:
- Targeting or advertising cookies –these might be used to deliver targeted advertising to users based on their previous browsing habits
- Functionality cookies –these might be used to recognise a user when he or she returns to a website
- Performance cookies –these might be used to monitor traffic across different pages of a website to report on visitor numbers and popular pages
- Strictly necessary cookies – these include cookies that enable users to log into secure areas of a website or use a shopping cart
What does the "Cookie Law" say?
This amendment to the 2003 Regulations came into force in the UK on 26 May 2011. However, as mentioned above, at the time, the UK Information Commissioner granted a one year moratorium on enforcement of these new rules in order to allow organisations the opportunity to develop compliance strategies to address this challenging change. This moratorium on enforcement expires on 26 May 2012. From that date, the Information Commissioner's Office (the "ICO") may exercise a range of regulatory powers at its disposal in relation to breaches of the new rules, including Enforcement Notices, Information Notices, and fines (Monetary Penalty Notices) of up to £500,000.
Is there any guidance available?
During the "grace period", the ICO has been encouraging organisations to: (i) check which cookies and similar technologies are being used and how; (ii) assess how intrusive the use is and prioritise compliance efforts, starting with the most intrusive; and (iii) decide which solution for providing clear and comprehensive information and obtaining consent will be best in the circumstances. It has also produced some guidance and has committed to updating this guidance with practical illustrations as it becomes aware of examples of compliance solutions.
Every website is unique and standard solutions are therefore unlikely to exist. However, UK organisations with a website using cookies or similar technologies should be considering their compliance strategy now. In addition, the new requirement originates from an EU Directive and so organisations with a European web presence will also need to have a compliance strategy covering the EU, where the rules are being implemented on a country by country basis. So far only a small number of Member States have implemented the rules, including France and the Netherlands.
See our PLC Article from the May 2012 edition of PLC magazine for further details.
Click here for details of the ICC UK's cookie guide.
The ICO's guidance can be accessed here.