You are here:  Home  Community  E-Privacy Regulations: An Update

Thursday 17th May 2012

On 26 May 2011 the law governing the use of cookies changed. Previously, the law required websites to provide users with full information about how the website used cookies and information to prevent cookies being deployed on to users’ machines. Now, users have to explicitly give their consent prior to having cookies downloaded on to their computers or mobile devices, having been provided with full and frank information about the use of cookies on a website. The new legislation can be found here
 
Frustratingly, the government and the Information Commissioner’s Office (ICO) currently have few clear ideas as to how the new legislation should be implemented by web managers. There is no guidance in the amended E-Privacy regulations as to exactly how “consent” should be given. The Government has left that remit with the ICO, and, as its latest guidance note highlights, there is as yet no clear-cut method of ensuring compliance.
 
The consequences of non-compliance
The ICO recognise that implementation of the new law will need to be phased and have thus taken a sensible approach to enforcement by giving web managers until May 2012 to comply with the new legislation before issuing sanctions. Click here for more information.
From May 2012, the ICO will have the power to impose penalties of up to £500,000 for breaches of the new legislation. However, web managers are expected to be working towards compliance with the new law in the interim.
 
The ICO will still be investigating websites subject to non-compliance complaints during the year-long grace period. If a non-compliant website cannot demonstrate to the ICO that it has been working towards compliance, it will be given a warning. Should the website still be non-compliant after May 2012, that warning may well turn into a financial penalty. 
 
What needs to be done now?
Web managers in the UK should therefore be doing the following:
 
  • Ascertaining what type of cookies are used by their websites and how they are downloaded onto users’ machines (effectively a ‘cookie audit’).
  • Deciding on which method(s) of obtaining consent is best for their website, given the cookie audit.
  • Recording the cookie audit and implementation methods in an easily digestible form, lest the ICO ever investigate the site during this transitional period.

Suggested methods of implementation
The list is non-exhaustive and will no doubt get longer, but below are a few options which have been suggested to procure user consent before cookies are downloaded. Please note that consent only needs to be provided by a user the first time each type of cookie (used for the same purpose) is downloaded on to their machine: 
 
  • Pop-ups each time a cookie is to be downloaded onto a user’s machine.
  • Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively agree to upon visiting the site (i.e. via a tick box).
  • Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to that action for compliance.
 
Web managers should be reminded that where the use of cookies is “strictly necessary” for the disclosed central purpose of the site, no consent needs to be given by the end user to their deployment. The most common situation in which this applies will be where a website remembers the contents of a user’s shopping basket as they navigate the site. 
 
What next?
Ultimately, it is intended that consent will be provided through users’ web browsers. Should a user access a website via a sufficiently sophisticated web browser, consent will be implied automatically. The Government is currently consulting with the major web browser manufacturers to this end and it is envisaged that an announcement as to compliance via this unobtrusive method will eventually be made.

Many businesses are currently confused by the legal implications of the new Cookies legislation and the best ways of implementing appropriate changes. Should you require focused advice on how your business should comply with the new legislation, feel free to contact Simon Halberstam at shalberstam@kingsleynapley.co.uk or on 020 7814 1258, a technology partner at Kingsley Napley LLP.