New rules on the use of website cookies came into force on 26 May 2011. Prior to this date, websites only had to tell users about the cookies they used and give them information about how to opt out of their use, with this information usually being given as part of the site’s privacy policy. Now however, websites wanting to use cookies must obtain the user’s informed consent before doing so.
What is a cookie?
A cookie is a piece of information in the form of a very small text file that is placed on a user’s hard drive. It is generated by a web page server (basically the computer which operates the website) and the information it contains is set by the server. Cookies make the interaction between users and websites faster and the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users’ web surfing habits and profile them for marketing purposes.
The new rules: the three step process
The new rules are set out in Regulation 6 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, which amend the 2003 Privacy and Electronic Communications Regulations. Following publication of the 2011 Regulations, the Information Commissioner’s Office (ICO) has published a guidance note on the changes to the rules, and advises that organisations must now take the following steps:
Methods of obtaining consent
The ICO’s guidance on obtaining consent is not particularly clear, although the overriding message is, as ever, transparency. It discusses various options for an organisation to obtain a user’s consent including:
The guidance also emphasises that the opt-in rules for consent also apply where websites allow the use of third party cookies. It acknowledges that this may be the most challenging area in which to achieve compliance, but disappointingly gives little advice as to how to deal with the issues.
What should businesses using websites do now?
Organisations have been given 12 months to make sure they comply with the new rules. Although it is taking a phased approach to implementation, in the event of a complaint about a website, the ICO states that it would expect an organisation’s response to be that they have considered the three step process referred to above, and have a realistic plan to achieve compliance. All businesses using websites should therefore now:
For further information contact Aisha Dickson, Solicitor Corporate & Commercial at Adams & Remers LLP.