The law on cookies changed on 26 May, but the new law was only passed by parliament three weeks prior to that, so web site operators have had little time to work out what changes are needed and how to implement them.
Because of this, Christopher Graham, the UK’s information commissioner (ICO), has confirmed he will allow a grace period of one year for businesses to comply with the new regulation.
However, at the same time he has warned that this does not mean businesses can ignore the issue for a year. “We’re giving businesses and organisations up to one year to get their houses in order,” he says. “This does not let everyone off the hook. Those that choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
In short, the regulation stipulates that a person shall not store information, or gain access to information that is stored in the equipment of a user, unless the user is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information and is given the opportunity to refuse the storage of, or access to, that information.
The regulation does not specify how this information should be provided. Up to now, a privacy or cookies policy on the web site, setting out information about the existence of cookies, has been regarded as sufficient.
Furthermore, the regulation does not specify how users can refuse a cookie. Up to now, the requirements have been met by providing information as to how a user may configure his or her browser, as browsers have customisable settings that enable the user to set generic cookie preferences.
The regulation affects all cookies and similar tracking devices, including web beacons. It applies to session cookies (which do not retain any data from one visit to a web site to the next) and to persistent cookies (which enable a web site to remember you on subsequent visits).
The regulation also applies to any information - even if the user cannot be identified from it - and not just to personal data. Where a cookie involves personal data, the requirements of the Data Protection Act will also apply.
Some cookies are more invasive from a privacy perspective than others. For example, a third-party cookie that tracks a user’s browsing over multiple web sites so as to deliver targeted behavioural advertising is more sensitive from a privacy perspective than a cookie that simply enables a web site to generate statistics about its usage. Nevertheless, the regulation applies equally to all cookies.
The main change to the regulation is that a cookie may only be used if users have given their consent, having been provided with clear and comprehensive information about the purpose of the cookie.
While it sounds reasonable to suggest that users should consent to a cookie, in reality it can be difficult to get consent.
Under data protection laws, consent must be “freely given, specific and informed”. In other words, the user needs to know exactly how the data concerning his or her browsing habits is to be collected, analysed, stored and used.
The only exemption where consent is not required is where the cookie is “strictly necessary” to provide a service “explicitly requested” by the user.
This exemption is limited in scope because “strictly necessary” means that the use of the cookie has to be essential, rather than desirable or reasonably necessary. The exemption could apply to cookies for shopping baskets, which are strictly necessary to complete a purchase the user is making, but would not apply to cookies for, say, advertising, which is not “explicitly requested” by the user.