From today (26 May), new rules come into force on the use of website cookies (and similar technologies such as spyware) which mean that website operators can no longer justify their use by solely relying on website users to change their browser settings to “opt-out” if the website users do not want to receive them.

A cookie is a piece of text stored on a website user’s computer by his or her browser that allows the website to store certain information about the website user’s use of the site and to recognise the website user when he or she returns to the website in the future. The new rules amend Article 5(3) of the e-Privacy Directive (2000/58/EC).

In a nutshell, the new rules state that website operators will only be able to use cookies on their websites to store information, or gain access to information stored on a website user’s computer (or a similar device such as a mobile phone) if the website user is provided with detailed information about the way the cookies are to be used so that they can choose to accept them or not. This essentially implies that an “opt-in” regime must be adopted in contrast to previous practice, where it was thought to be sufficient for a website operator to outline how website users could “opt-out” of receiving them in its privacy policy.  

Website operators have been concerned since the adoption of the new rules because it was unclear how the new rules will operate in practice and there has been a lot of pressure on the government to offer some helpful guidance. The latest guidance was released earlier this month by the Information Commissioner’s Office, the data protection regulator for the UK (the “ICO”).

The guidance offers some useful advice but does not provide a comprehensive guide for website operators and the ICO has said that further guidance may follow. The key points from the ICO’s guidelines are as follows:

  • The new rules will apply to cookies and similar technologies that are not strictly necessary for provision of services. “Strictly necessary” is not defined. However, according to the ICO, cookies used for the collection of statistical data and to remember a website user’s preference settings (including behavioural advertising cookies) will not be considered “strictly necessary” whereas shopping basket functionality cookies for example will fall within the scope of “strictly necessary”.
  • The ICO guidance does not set out a definitive “opt-in” procedure. However, it does state that website operators cannot simply rely on browser settings to deliver consent for the use of cookies and that something more is needed such as the use of pop-ups, feature settings, privacy notices and cookie icons and terms and conditions. The key thing to note is that the exceptions to the new rules are very narrow and positive action will be required to conform most websites using cookies.
  • The ICO states that website operators will not  be expected to fully comply with the new rules immediately and there will be a “grace period” (although the ICO does not say how long that this will last for). During the grace period, if the ICO receives a complaint, it will expect a non-compliant website operator to produce a plan that demonstrates it has considered what type of cookies and similar technologies it uses and how frequently, how intrusive this use is and what is the most appropriate solution for it to implement so that it is compliant with the new rules in the future.

The ICO guidance can be found in full at the following link: