On 26 May 2011 the law governing the use of cookies changed. Previously, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“E-Privacy Regulations”) required websites to provide users with full information about how the website used cookies and information to prevent cookies being deployed on to users’ machines. Now, users have to explicitly give their consent prior to having cookies downloaded on to their computers or mobile devices, having been provided with full and frank information about the use of cookies on a website. The new legislation which has amended the E-Privacy Regulations can be found here

Frustratingly, the government and the Information Commissioner’s Office (“ICO”) currently have few clear ideas as to how the new legislation should be implemented by web managers. There is no guidance in the amended E-Privacy Regulations as to exactly how “consent” should be given. The Government has left that remit with the ICO, and, as its guidance note on compliance highlights, there is as yet no clear-cut method of ensuring compliance.

The consequences of non-compliance

The ICO recognise that implementation of the new law will need to be phased and have thus taken a sensible approach to enforcement by giving web managers until May 2012 to comply with the new legislation before issuing sanctions. From May 2012, the ICO will have the power to impose penalties of up to £500,000 for breaches of the new legislation. However, web managers are expected to be working towards compliance with the new law in the interim.

The ICO will still be investigating websites subject to non-compliance complaints during the year-long grace period. If a non-compliant website cannot demonstrate to the ICO that it has been working towards compliance, it will be given a warning. Should the website still be non-compliant after May 2012, that warning may well turn into a financial penalty. 

What needs to be done now?

Web managers in the UK should therefore be doing the following:

  • Ascertaining what type of cookies are used by their websites and how they are downloaded onto users’ machines (effectively a ‘cookie audit’).
  • Deciding on which method(s) of obtaining consent is best for their website, given the cookie audit.
  • Recording the cookie audit and implementation methods in an easily digestible form, lest the ICO ever investigate the site during this transitional period.

Suggested methods of implementation

The list is non-exhaustive and will doubtless get longer, but below are a few options which have been suggested to procure user consent before cookies are downloaded. Please note that consent only needs to be provided by a user the first time each type of cookie (used for the same purpose) is downloaded on to their machine:

  • Pop-ups each time a cookie is to be downloaded onto a user’s machine.
  • Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively agree to upon visiting the site (i.e. via a tick box).
  • Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to that action for compliance.

Web managers should be reminded that where the use of cookies is “strictly necessary” for the disclosed central purpose of the site, no consent needs to be given by the end user to their deployment. The most common situation in which this applies will be where a website remembers the contents of a user’s shopping basket as they navigate the site.

What next?

The ICO have suggested that, in the near future, consent will be validly provided through users’ web browsers. ICO guidance envisages a future scenario whereby a user accesses a website via a sufficiently sophisticated web browser, set up to reject certain cookies and accept others, allowing a web manager to assume that the user has provided their consent accordingly. However, it is acknowledged that many web browsers are not sufficiently sophisticated for this method to be currently viable. The Government is therefore currently consulting with the major web browser manufacturers and it is envisaged that an announcement as to compliance via this unobtrusive method will eventually be made.

However, the Article 29 Working Party (a group of data protection regulators from EU member states) have given a non-binding (albeit very persuasive) opinion on consent via web browsers. The Working Party have suggested that reliance on users navigating websites via sophisticated web browsers is not, in itself, a substitute for procuring their positive consent to the download of cookies. Instead, the Working Party has suggested that web browsers need to be supplied to consumers with a default setting of rejecting cookies. In order for consent to be validly given via these browsers, users would also have to be provided with comprehensive information about cookies before actively changing their browser settings to allow cookies.