The cookies monster: How to deal with the new cookies law

From 26 May 2011, the law concerning the use of cookies and similar technologies for storing information on a user's computer equipment is changing. Henrietta Neate looks at what the new law says and what you will need to do to ensure that you comply.

From 26 May 2011, the law concerning the use of cookies and similar technologies for storing information on a user's computer equipment is changing. Henrietta Neate looks at what the new law says and what you will need to do to ensure that you comply.


Express consent required

Previously, if you wanted to use cookies, or similar technologies for storing information, on your website you had to tell visitors to your website how you use those cookies and how they can opt-out if they object to them being used.

The new law means cookies can only be placed on devices where the user or subscriber has given their express consent. This means the user has to be provided with clear and comprehensive information about the purposes of the storage of or access to that information, and have given his or her consent. The only exception is where the cookie is strictly necessary for a service requested by the user.

What actions do you need to take now?

Many website providers currently comply with the existing requirements by setting out the information about their cookies and the steps that need to be taken to opt-out in their privacy policies. Under the new regulations this will no longer be sufficient. However it is not entirely clear what will be sufficient. To help organisations identify ways in which they can become compliant with the new requirements, the Information Commissioner's Office (ICO) published guidance on 9 May 2011. The ICO guidance identifies three steps that you should be taking now:

Step 1 - perform an audit on the type of cookies and similar technologies used and how they are used: The ICO explains that this might amount to a comprehensive audit of your website, or it could be as simple as checking what data files are placed on user terminals and why.

Step 2 - assess how intrusive the use of cookies is: The ICO explains that the new rule is intended to add to the level of privacy protection afforded to internet users. Consequently, website providers should consider their use of cookies on a sliding scale of intrusiveness. They need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity, either on the provider's own site or across a range of sites.

Step 3 - decide on the best solution for obtaining consent: One further change to the regulations states that consent may be signified by a subscriber who amends or sets controls on their internet browser or by a subscriber who uses another application or program to signify consent. Because of this provision, when the proposed amendments were first published, it was hoped that in practice the changes that would need to be made to websites would be limited as many users were already changing their browser settings to reject cookies. However, in its guidance, the ICO confirmed that existing browser settings are not adequate to evidence consent.


Methods of gaining user consent

The UK government is working with the major browser providers to identify future browser setting capabilities that will be adequate, but this is not yet ready. Consequently, the current advice is that you must gain consent some other way.

The ICO guidance sets out several options that are available for you to obtain a user's consent. These are only intended to be a guide and the government has made it clear that it considers that technological capabilities and advances should dictate the approach taken rather than legislation. The options set out in the ICO guidance include:

Pop-ups and similar techniques: This initially seems a relatively easy way to achieve compliance - you ask the user to click "yes" to accept - but it may spoil the visitor's experience of using the website, especially where you use several cookies.

Terms and conditions: Obtaining consent through the terms and conditions of a site may be an easy option where the use of a website requires registration. However, the ICO points out that if users have already agreed to terms when first using a site, merely changing the terms and conditions to include consent for cookies will not be sufficient. To satisfy the new rules on cookies, you would have to make users aware of the changes and point out specifically that the changes refer to the use of cookies. You then need to obtain a positive indication that users understand and agree to the changes, such as ticking a box.

Settings-led consent: Some cookies are deployed when a user makes a choice about how the website works for them. In these cases the ICO suggests that consent could be gained as part of the process by which the user confirms how they want the website to work.

Feature-led consent: You may be able to get consent where a visitor chooses to use a particular feature of the site, such as watching a video clip. At the point the user takes a certain the action, you could ask for consent for the cookie.

Functional issues: The ICO explains that an analytic cookie which collects information about how people access and use a website might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent.

Third-party cookies: The ICO advises that anyone using third-party cookies should ensure that the user is aware of what is being collected and by whom and allows them to make informed choices about what is stored on their device. The ICO has acknowledged that this may be the most challenging area in which to achieve compliance with the new rules and states that it is working with industry and other European data protection authorities to find solutions. It is not clear at the moment exactly who has responsibility for obtaining consent.


Make changes as soon as possible

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

Having consideration to the variety of cookies in use and the variety of uses for the information collected it does not seem likely that organisations will be able to adopt a one-size-fits-all approach to being compliant with the new requirements. Accordingly, it is likely that a significant change by most website providers will be required. The magnitude of the required changes has been recognised by the government and is reflected in its adoption of a phased approach to the implementation of the changes. This does not however mean that you should ignore the changes.

The ICO has clearly stated that, if it receives a complaint about a website, it will deal very differently with an organisation that has followed the three steps outlined above than it would if the organisation had done nothing to comply.



Henrietta Neate is a lawyer at SNR Denton LLP.

Read more on IT risk management