What the new rules on cookies mean for IT leaders

By Nigel Miller
22 Jun 2011 View Comments
A business man sitting on a black background - working on a laptop computer and browsing websites that are zooming for speed

The law on cookies changed on 26 May, but the new law was only passed by parliament three weeks prior to that, so web site operators have had little time to work out what changes are needed and how to implement them.

Further reading

Because of this, Christopher Graham, the UK’s information commissioner (ICO), has confirmed he will allow a grace period of one year for businesses to comply with the new regulation.

However, at the same time he has warned that this does not mean businesses can ignore the issue for a year. “We’re giving businesses and organisations up to one year to get their houses in order,” he says. “This does not let everyone off the hook. Those that choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

Legal position

The use of cookies is regulated by the Privacy and Electronic Communications regulations, which came into force in 2003 implementing an EU Directive (also known as the “regulation”).

In short, the regulation stipulates that a person shall not store information, or gain access to information that is stored in the equipment of a user, unless the user is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information and is given the opportunity to refuse the storage of, or access to, that information.

The regulation does not specify how this information should be provided. Up to now, a privacy or cookies policy on the web site, setting out information about the existence of cookies, has been regarded as sufficient.

Furthermore, the regulation does not specify how users can refuse a cookie. Up to now, the requirements have been met by providing information as to how a user may configure his or her browser, as browsers have customisable settings that enable the user to set generic cookie preferences.

The regulation affects all cookies and similar tracking devices, including web beacons. It applies to session cookies (which do not retain any data from one visit to a web site to the next) and to persistent cookies (which enable a web site to remember you on subsequent visits).

The regulation also applies to any information - even if the user cannot be identified from it - and not just to personal data. Where a cookie involves personal data, the requirements of the Data Protection Act will also apply.

Some cookies are more invasive from a privacy perspective than others. For example, a third-party cookie that tracks a user’s browsing over multiple web sites so as to deliver targeted behavioural advertising is more sensitive from a privacy perspective than a cookie that simply enables a web site to generate statistics about its usage. Nevertheless, the regulation applies equally to all cookies.

Regulation change

The main change to the regulation is that a cookie may only be used if users have given their consent, having been provided with clear and comprehensive information about the purpose of the cookie.

In essence, this is a move away from an “opt-out” towards an “opt-in” approach. Whereas previously it was sufficient for web sites to notify users of the use of cookies and provide information about how these could be disabled through browser settings, the new requirements are more extensive. Coinciding with this amendment, the enforcement powers of the ICO have been increased. He can now impose fines of up to £500,000 for serious breaches of the regulation.

Informed consent

While it sounds reasonable to suggest that users should consent to a cookie, in reality it can be difficult to get consent.

Under data protection laws, consent must be “freely given, specific and informed”. In other words, the user needs to know exactly how the data concerning his or her browsing habits is to be collected, analysed, stored and used.

While this can be explained in the web site’s terms and conditions or privacy policy, inevitably these documents are detailed, legalistic and complex. Most consumers do not read them, or only do so superficially, and that can hardly be a basis for informed consent. The central issue, therefore, is how consent can be obtained in a manner that is compliant with the amended regulation.

Necessary exemption

The only exemption where consent is not required is where the cookie is “strictly necessary” to provide a service “explicitly requested” by the user.

This exemption is limited in scope because “strictly necessary” means that the use of the cookie has to be essential, rather than desirable or reasonably necessary. The exemption could apply to cookies for shopping baskets, which are strictly necessary to complete a purchase the user is making, but would not apply to cookies for, say, advertising, which is not “explicitly requested” by the user.


Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

35 %
31 %
14 %
20 %