Pun free reminder on change to cookie law

6th May 2012 marks the end of the one year lead in period which was granted to enable companies to get to grips with the new laws on use of cookies (small text files used to track a person’s use of a website).

No doubt in part due to the huge potential for puns that this topic provides (half baked legislation, cookie monster strikes again, that’s the way the cookie crumbles etc etc) there has been no shortage of comment on the imminent change. However as D-Day approaches I thought it would be useful to provide a quick, pun free guide to what is happening.

1. What law is changing?  

The use of cookies is subject to the Data Protection Act 1998 and also the snappily titled Privacy and Electronic Communications (EC Directive) Regulations 2003, which are usually referred to as the “Privacy Regs”. The Privacy Regs were amended last year in order to implement an EC Directive, however the Information Commissioner allowed a lead in period of one year to enable people to get to grips with the changes.

2. What has changed?

Previously the Privacy Regs required that websites which used cookies just had to provide clear information on how the cookies were used. This was usually covered off in the website privacy policy. The significant new change however is that the website user’s consent to the use of cookies is now needed before a cookie can be stored on the user’s device. So sticking some wording in your privacy policy is no longer likely to suffice. Express consent rather than implied consent is now needed.

3. What do I need to do now?

Ideally consent should be obtained prior to the cookie being used. This however creates a technical issue as usually it is the act of visiting a website which activates the cookie being sent, so getting ‘up front’ consent may not be feasible. However the Information Commissioner has recommended that the user should nonetheless be made aware of the use of cookies as soon as possible and be given the chance to expressly consent to the use of the cookies on the website.

There are some exceptions to this rule where the use of the cookie is strictly necessary for the service being provided to the user on the website. For example this would cover the use of cookies in relation to website shopping carts which retain information on choice of items.  However a lot of cookies used by websites will not qualify under this exemption and the prudent approach is therefore to review all types of cookies which your website uses and then assess how best to obtain the necessary consent.  A decent starting point for such a cookie ‘audit’ would be the guidance provided by the Information Commissioner (www.ico.gov.uk). 

4. Why is this such a big issue?

In some cases it won’t be as some cookies will not collect personally identifiable information. However some will, and it is this privacy issue which is the principal concern here. People have a right to know what information is being collected about them. Linked to this is the increase in fining power which the Information Commissioner has enjoyed since April 2010 (rising from £5000 to £500,000).  The Information Commissioner is perhaps unlikely to come hammering down with half a million pound fines for incorrect use of cookies: in the spectrum of privacy breaches this type of offence is probably going to be considered at the lower end of the scale. However high fines cannot be ruled out and it would be unwise to ignore the new regulations. And given the 12 month lead in period you clearly won’t be able to argue that you weren’t warned...

Andy Harris

blog comments powered by Disqus