On 26th May 2011 a new law* came into force which applies to all website operators who use “cookies” to track their visitors’ movement and choices around their site. A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.
The previous rule on using cookies for storing information was that you had to:
- tell them how they could ‘opt out’ if they objected.
Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’.
What should you do now?
- Establish what cookies if any you have on your website. You may have had the site developed for you and so you need to ask your website developer what cookies they used.
- If you do have cookies, decide which ones are essential for your visitors’ use of your site. For example, a cookie that tracks what a customer puts in their shopping basket would be considered essential and therefor may not need the customer’s express consent. A cookie that tracks that the customer had a good browse in home furnishings before going to children’s’ wear on the other hand may be considered intrusive and therefore require express consent.
“Some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent,” the ICO guidance said.
“It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale,” the ICO said.