A cookie is a small file which is placed on your computer or other device used to access the internet when you visit a website. The file will often enable the website to recognise you when you next visit the site in question. This is done in order to enhance your "user experience" - for example by remembering who you are and not requiring you to re-enter your name and address or by remembering your preferences for the manner in which the website appears on your computer screen.
As well as being used to enhance the user experience, cookies are often used to track a web user's activities and the sites he or she has visited. This information can then be used to assess the user's interests with a view to delivering targeted advertising.
The new cookie regime
As a result of the Regulations any business using cookies must:-
- provide clear and comprehensive information about the purposes of the storage of, or access to, the information obtained by the cookie; and
- obtain the consent of the computer user.
It is the latter requirement to obtain consent which is the key change for businesses to be aware of - this is now an "opt in" regime, as opposed to the old "opt-out" regime.
Whilst the Regulations clarify that consent may be signified by a subscriber who amends or sets controls on his internet browser to signify consent, it appears that browsers are not yet configured in such a way as to enable businesses to rely on this provision. And there are conflicting views on whether making no change to a default setting on a browser could be construed as consent.
Consent is not required where the use of the cookie is strictly necessary for provision of an "information society service" requested by the subscriber or user. However, it is likely that this exception will be very narrowly interpreted. One example given by the Information Commissioner's Office (which has responsibility for enforcing the Regulations) is the use of a cookie in relation to online shopping baskets so that the contents of that basket can be remembered.
Enforcement grace period
Acknowledging the difficulties which businesses are likely to encounter in seeking to comply with this "opt-in" regime, Ed Vaizey, the Minister for Culture, Communications and Creative Industries, has stated that government intends to work with website operators to come up with workable technical solutions. In an open letter issued by him on 24 May 2011 he also stated that enforcement action will not be taken until appropriate technical solutions are available.
The Information Commissioner's Office (ICO) has indicated in its latest guidance that website operators have 12 months to get their house in order - but they do expect organisations to start taking action now so that they can properly comply by May 2012.
The ICO recommends that businesses should:-
- assess how intrusive those cookies are; and
- consider options for obtaining consent and decide on the best solution.
It seems, however, from the ICO's guidance that, in spite of the assurances given by Ed Vaizey, if appropriate technical solutions are not available by May 2012 so that website operators can rely on browser settings, they will by then have to be in a position to obtain consent in some other way, such as by the use of pop-ups and similar techniques or the use of terms and conditions which are accepted by users through the use of tick boxes.
Third party cookies
The new cookie regime is certainly not toothless. The ICO has the power to impose fines of up to £500,000 for breaches of the Regulations. Whilst this power will only be used where there have been serious breaches and those breaches are of a kind likely to cause substantial damage or distress, the ICO suggest that the requirement to show substantial damage or distress can be met in a situation where the damage or distress actually caused to any one individual is limited but large numbers of individuals are affected. As a result, businesses with particularly popular websites may find themselves in the firing line for fines.