Cookie compliance

Updated January 2012

Cookies are small text files that are downloaded to an individual's PC when the individual visits certain websites. They contain information about the individual's behaviour on the site and for example can be used by website operators to monitor preferences and habits.

Since May 2011 Regulations have been in force in the UK – resulting from a new European privacy directive - governing the use of internet cookies.

Businesses with websites targeted at the UK need to get visitors’ express or opt in consent to store cookies on users’ computers. Previously cookies could be installed as long as users had been given the opportunity to opt out and had been provided with information about how the cookies would be used.

The user will not be treated as having given consent simply because the user’s browser settings have not been changed to block cookies as the Information Commissioners Office (ICO) considers most browser settings are not sophisticated enough to demonstrate the requisite level of consent.

The ICO has power to fine companies up to £500,000 for breaching the rules but has stated that enforcement powers will not be exercised until May 2012 – this period is intended to allow time for the development of technical solutions to enable businesses to comply. However the ICO will not condone businesses who delay action until next year.

What steps should businesses take?

The ICO advises taking the following steps:

• Conduct an audit of the types of cookies used and how they are used.
• Assess how intrusive the use of each cookie is.
• Decide on the best method of gaining consent – the more the use of the cookie relates to the visitor’s personal information the more you need to do to obtain meaningful consent.

The ICO’s guidance document suggests various options to obtain user’s consent including pop-ups and similar techniques, the use of terms and conditions and the use of scrolling text to draw user’s attention to information about cookies.

If the company’s website allows a third party to set cookies on a user’s device, the process of obtaining consent is more complex and it is likely the company will need to work together with the third party to ensure appropriate consent is obtained. This could for example be relevant where advertising agencies place cookies on a company’s website in order to serve targeted advertising.

Enforcement

Although the ICO has made it clear that it will not take enforcement action until May 2012, businesses are expected to take steps now to ensure compliance and warnings may be issued to businesses that are not making adequate preparation. These warnings will be taken into account if enforcement action is required after May 2012. That enforcement action may include a fine of up to £500,000. Failure to comply could also lead to action from consumer groups and ongoing investigations into other data protection breaches.

TLT’s review service

As this is a high profile change to the law the ICO is likely to receive complaints and be vigorous in taking action in the coming months.

TLT is offering a review service to assist you in identifying the best means of obtaining consent given the types of cookies used on your website. If you would like more information about our review or other services or have any queries on the forthcoming changes please contact Nicola Fincham, Partner in the Commercial Team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.