New rules on the use of website cookies came into force on 26 May 2011. Prior to this date, websites only had to tell users about the cookies they used and give them information about how to opt out of their use, with this information usually being given as part of the site’s privacy policy. Now however, websites wanting to use cookies must obtain the user’s informed consent before doing so.

What is a cookie?

A cookie is a piece of information in the form of a very small text file that is placed on a user’s hard drive. It is generated by a web page server (basically the computer which operates the website) and the information it contains is set by the server. Cookies make the interaction between users and websites faster and the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users’ web surfing habits and profile them for marketing purposes.

The new rules: the three step process

The new rules are set out in Regulation 6 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, which amend the 2003 Privacy and Electronic Communications Regulations. Following publication of the 2011 Regulations, the Information Commissioner’s Office (ICO) has published a guidance note on the changes to the rules, and advises that organisations must now take the following steps:

1. audit: check what type of cookies and similar technologies it is using and how it uses them. Many cookies used may be redundant and could be dispensed with;
2. assessment: assess how intrusive its use of cookies is – the more intrusive, the greater the compliance effort required to make its use transparent and to obtain the user’s consent; and
3. consent: decide on the best way of obtaining the user’s consent to its use of cookies.

Methods of obtaining consent

The ICO’s guidance on obtaining consent is not particularly clear, although the overriding message is, as ever, transparency. It discusses various options for an organisation to obtain a user’s consent including:

• pop-ups: a relatively easy option but may spoil a user’s website experience;
• website terms & conditions (T&Cs): review and change website T&Cs to ensure cookies are dealt with appropriately and obtain a positive indication of any such changes through the use of a consent tick-box;
• settings-led or feature-led consent: gain consent as part of the process by which the user confirms what they want to do or how they want the website to work; and
• functional uses: make information about the use of cookies prominent, with a list and description of how they work.

The guidance also emphasises that the opt-in rules for consent also apply where websites allow the use of third party cookies. It acknowledges that this may be the most challenging area in which to achieve compliance, but disappointingly gives little advice as to how to deal with the issues.

What should businesses using websites do now?

Organisations have been given 12 months to make sure they comply with the new rules. Although it is taking a phased approach to implementation, in the event of a complaint about a website, the ICO states that it would expect an organisation’s response to be that they have considered the three step process referred to above, and have a realistic plan to achieve compliance. All businesses using websites should therefore now:

• carry out the three step process referred to above: audit, assessment, consent;
• review and update website T&Cs and/or relevant privacy policies;
• monitor industry developments to see if any future browser based solutions to achieve consent become workable; and
• check in with Adams & Remers LLP for information on future ICO guidance.

For further information contact Aisha Dickson, Solicitor Corporate & Commercial at Adams & Remers LLP.