Cookie Compliance – the provisions of the new cookie laws
From 26 May 2011, users are to be given greater control over the extent to which cookies operate on the web sites they access.
The new law, which follows the adoption in Europe of the Citizens Rights Directive, has the effect, inter alia, of requiring the operators of web sites not only to provide clear information about the cookies, but also to obtain consent from users or subscribers to store a cookie on their device. This will require:
- telling those accessing a web site that the cookies are being used,
- explaining what the cookies do, and
- obtaining consent from the user for the cookie to be stored on their device.
Responsibility for compliance lies primarily with the web site owner setting the cookie, although where a cookie is set by a third party, then strictly both the web site owner and the third party will have responsibility.
The previous position was that if a web site owner wanted to use cookies to store or record information then web site visitors had to be told those cookies were being used and how they could opt-out if they wishes. Under the new provisions cookies can only be used if the web site visitor has given express consent.
The only exception to the rule is where the cookie is strictly necessary for a service requested by the user. An example of this would be an e-commerce site that needed the cookie in order for a shopping cart to be used.
It should be borne in mind that the use of Google Analytics or other similar systems for tracking use of a web site are not deemed to be necessary. However, helpful guidance issued by the Information Commissioner’s Office (ICO) states that it is highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
The statement provides that:
“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
For more information on how to make a web site compliant, the Information Commissioner’s Office has published guidance which can be found on ICO web site. The ICO guidance sets out three steps that web site owners should be taking to comply with the legislation:
- Check what type of cookies and similar technologies you use and how you use them,
- Assess how intrusive your use of cookies is, and
- Decide what solution to obtain consent will be best in your circumstances.
Further information about cookies can be found at www.allaboutcookies.org/.
