A change in the recipe

A new law amending the EU Privacy and Communications Directive came into force recently, requiring website owners to obtain consent from users to the use of cookies.

The UK Government has now adopted the provisions of the Directive and, in principal businesses will now be required to obtain the consent of website users in order to collect or store their data by way of cookies. 

Cookies are files downloaded automatically from websites and stored on  users' computers, which enable website owners to track information on user preferences, their on-site browsing habits and where relevant, purchase details.

Cookies are very widely used by businesses for legitimate purposes, however, often without the visitors' knowledge or express consent. Until now, website owners could deal with these issues by informing users and giving them a right to opt-out from the use of cookies, as explained in website privacy policies or terms and conditions.

User consent – no more forced feeding

There is an exemption where use of cookies is "strictly necessary" for the operation of the website – but the Information Commissioner's Office ("ICO"), responsible for enforcement of these provisions, has made it clear that this will be interpreted narrowly eg cases where a user is buying goods online, so that the website owner can retain information on what they have ordered.

The debate has focused on how user consent can be obtained in a practical way. One view is that website owners could rely on users giving or withholding their consent through their computer browser settings which they adjust to switch on or off the computer's capacity to store cookies.

However, the ICO has warned against relying on this approach, particularly in the short term.  Few browsers are sophisticated enough to cater for this at the moment, and some users will not access websites through browsers. While browsers may develop the capacity for dealing with consent in the long term this is not currently a solution. 

What now?

The ICO is consulting widely to find appropriate technical solutions to gaining user consent.  In the meantime it has suggested alternatives which include: the use of pop ups, more explicit terms and conditions, settings-led and feature-led consent.  The ICO does not intend to lay down hard and fast rules. 

The ICO has said that website owners must now review their use of cookies – what they really need to collect – and the more personal the information, the more urgent the need to get a proper consent process in place.  Bearing in mind that it will take time for organisations to review their existing practices and develop appropriate solutions, the ICO has confirmed that in relation to enforcement there is now a twelve month "grace" period. However, this is conditional on organisations being able to demonstrate that they are actively developing realistic plans to achieve compliance with the revised Directive. 

Check the recipe

Further guidance will follow, but in the meantime you should get familiar with the new law, review how you use cookies and start to work on your plan to achieve compliance.