The use of cookies to monitor the activities of website users is becoming ever more prevalent, especially in the realm of targeted online advertising. However, the latest rules on this form of data capture which came into force on 26 May 2011 are set to complicate the lives of those businesses that satisfy their hunger for information on web-users by the use of cookies.

A cookie is a small file which is placed on your computer or other device used to access the internet when you visit a website. The file will often enable the website to recognise you when you next visit the site in question. This is done in order to enhance your "user experience" - for example by remembering who you are and not requiring you to re-enter your name and address or by remembering your preferences for the manner in which the website appears on your computer screen.

As well as being used to enhance the user experience, cookies are often used to track a web user's activities and the sites he or she has visited. This information can then be used to assess the user's interests with a view to delivering targeted advertising.

Alive to the privacy concerns raised by some relating to the amount of personal data being obtained by the use of cookies, the European Commission issued a new directive in 2009 which set new rules for the use of cookies. That directive was implemented in the UK by the suitably obscure sounding Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations).

The new cookie regime

As a result of the Regulations any business using cookies must:-

  • provide clear and comprehensive information about the purposes of the storage of, or access to, the information obtained by the cookie; and
  • obtain the consent of the computer user.

It is the latter requirement to obtain consent which is the key change for businesses to be aware of - this is now an "opt in" regime, as opposed to the old "opt-out" regime.

Whilst the Regulations clarify that consent may be signified by a subscriber who amends or sets controls on his internet browser to signify consent, it appears that browsers are not yet configured in such a way as to enable businesses to rely on this provision. And there are conflicting views on whether making no change to a default setting on a browser could be construed as consent.

Consent is not required where the use of the cookie is strictly necessary for provision of an "information society service" requested by the subscriber or user. However, it is likely that this exception will be very narrowly interpreted. One example given by the Information Commissioner's Office (which has responsibility for enforcing the Regulations) is the use of a cookie in relation to online shopping baskets so that the contents of that basket can be remembered.

Enforcement grace period

Acknowledging the difficulties which businesses are likely to encounter in seeking to comply with this "opt-in" regime, Ed Vaizey, the Minister for Culture, Communications and Creative Industries, has stated that government intends to work with website operators to come up with workable technical solutions. In an open letter issued by him on 24 May 2011 he also stated that enforcement action will not be taken until appropriate technical solutions are available.

The Information Commissioner's Office (ICO) has indicated in its latest guidance[1] that website operators have 12 months to get their house in order - but they do expect organisations to start taking action now so that they can properly comply by May 2012.

The ICO recommends that businesses should:-

  • audit their use of cookies;
  • assess how intrusive those cookies are; and
  • consider options for obtaining consent and decide on the best solution.

It seems, however, from the ICO's guidance that, in spite of the assurances given by Ed Vaizey, if appropriate technical solutions are not available by May 2012 so that website operators can rely on browser settings, they will by then have to be in a position to obtain consent in some other way, such as by the use of pop-ups and similar techniques or the use of terms and conditions which are accepted by users through the use of tick boxes.

Third party cookies

If a website permits third parties to set cookies on the visitor's device the process of obtaining consent will need extra thought. The ICO makes the point that any business permitting this form of activity should ensure that users are aware of what is being collected and by whom and allows them to make informed choices about what is stored on their device. Clearly the person with the responsibility for providing the relevant information and ensuring that it is accurate is the operator of the website and therefore they will need to ensure that they are given accurate information by the relevant third parties. It may therefore be time not only to audit the use of cookies on your websites but also to reconsider the terms under which you allow third parties to place cookies on your visitors' computer devices.

Fines

The new cookie regime is certainly not toothless. The ICO has the power to impose fines of up to £500,000 for breaches of the Regulations. Whilst this power will only be used where there have been serious breaches and those breaches are of a kind likely to cause substantial damage or distress, the ICO suggest that the requirement to show substantial damage or distress can be met in a situation where the damage or distress actually caused to any one individual is limited but large numbers of individuals are affected. As a result, businesses with particularly popular websites may find themselves in the firing line for fines.

Comment

Any business which uses cookies will need to consider how best to comply with the new "opt-in" regime. In spite of the grace period for enforcement, delay in dealing with this is a recipe for disaster. Check now what cookies you are using and whether you allow third parties to plant cookies via your website. Consider how you are going to obtain consent. And monitor technical developments to take advantage, where necessary, of the possibility of obtaining consent through browser settings.