Off To See My Lawyer
'Oven-Ready' Document Shop Click here to sign up for our latest updates

Calling all website owners: check your cookies!

On 26th May 2011 a new law* came into force which applies to all website operators who use “cookies” to track their visitors’ movement and choices around their site. A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.

The previous rule on using cookies for storing information was that you had to:

  • tell people how you use cookies, and
  • tell them how they could ‘opt out’ if they objected.

Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’.

The new law requires website operators to make sure they have their visitors’ “informed consent” for the use of cookies. The changes aim to give users more choice and control over what information businesses and other organisations store on their computers and how they track users.

Business groups and privacy watchdogs are divided, though, on exactly what “informed consent” means. Luckily, the Information Commissioner’s office (‘ICO’), the government body responsible for enforcing the law, has published a Guidance Note on what they expect website operators to do. However, the guidance is not definitive and leaves it up to organisations to decide how best to obtain the necessary consent. Thankfully, the ICO has given businesses a year in which to change their use of cookies to comply with the law before it will start to take enforcement action.

What should you do now?

  1. Establish what cookies if any you have on your website. You may have had the site developed for you and so you need to ask your website developer what cookies they used.
  2. If you do have cookies, decide which ones are essential for your visitors’ use of your site. For example, a cookie that tracks what a customer puts in their shopping basket would be considered essential and therefor may not need the customer’s express consent. A cookie that tracks that the customer had  a good browse in home furnishings  before going to children’s’ wear on the other hand may be considered intrusive and therefore require express consent.
  3. Draw up a plan that shows that you are addressing the use of cookies and that you are putting into place a plan to comply with the new law. This will be important if the ICO does come after you.
  4. Establish how you will get a visitor’s consent to the use of cookies. One option would be to have pop- up box that alerts users to cookies and asks them to agree. Alternatively, the ICO have said that getting users to agree to your Terms of Use/Privacy Policy would also work. However, instead of just displaying them as a link on your website, you would need to get them to tick a box, indicating their express acceptance of them.
  5. Check that your Privacy Policy spells out exactly what information is being collected by cookies. The bottom line is that you need to be upfront with users about how your website operates

“Some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent,” the ICO guidance said.

“It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale,” the ICO said.

*The Privacy and Electronic Communications (Amendment) Regulations 2011.

For the Guidance Note see here

For the Information Commissioner’s Office see here

Tags: , , , ,

Leave a Reply