Website changes required by 26 May 2011
ICO's cookie guidance rejects browser settings approach

Updated May 2011

This week the Information Commissioner's Office (ICO) issued guidance on how to comply with new legislation regulating the use of cookies (and similar technologies). As we have previously reported (see Related publications), under the new law, use of cookies will only be permitted with users' explicit prior consent, or opt-in. This is a change from the current position, whereby website operators are permitted to install cookies on a users' computer as long as users have been given the opportunity to opt-out and have been provided with information about how those cookies will be used.

Since the forthcoming changes were announced in the revised EU's Privacy and Electronic Communications Directive, businesses have opposed the introduction of a strict opt-in. They have suggested that as browser settings can be set up to block cookies, if a user does not change his or her browser settings to block cookies they are effectively giving consent to the use of cookies. The ICO's guidance however, has, for the time being, rejected this approach as a means of compliance. The reason for this conclusion is that the ICO considers that most browser settings are not sophisticated enough to demonstrate the requisite level of consent. Further, not all users who visit a website do so via a browser, for instance those who access via mobile phone. The guidance acknowledges that in the future there may be the possibility of relying on users' browser settings and that the government is working towards a solution, but for now, the technology is not yet available.

In suggesting how businesses should comply with the new requirements, the ICO's guidance makes it clear that businesses are expected to take a phased approach. Businesses are advised to:

• conduct an audit of where cookies are used and how they are used;
• assess how intrusive the use of a cookie is; and
• decide what solution to obtain consent is most appropriate to the circumstances.

The message is that there is a scale of severity - the more intrusive the cookie (that is, the more the use of the cookie relates to the user's personal information and will influence behaviour towards the user) the more care is required in bringing the user's attention to the purpose of the cookie and ensuring that express consent is obtained. Businesses will therefore need to consider an appropriate means of obtaining consent for each type of cookie used. Possible solutions suggested in the guidance include the use of pop ups, the use of terms and conditions and the use of scrolling text to draw users' attention to information about cookies.

If website operators allow third parties to place cookies on a users' equipment, the ICO's guidance indicates that the website operator and the third party will need to work together to ensure appropriate consent to use of such cookies is obtained. This will be particularly relevant where advertising agencies place cookies on websites in order to serve targeted advertising.

On a positive note for website operators, the guidance has accepted that consent is only required the first time that a cookie is installed rather than every time a user visits the website. Any changes to the purpose of the cookie will require further consent. There is also a very narrow exception to the rule requiring consent if the cookie is 'strictly necessary' for a service requested by the user - for instance if it has been used as an online shopping basket to enable payment.

TLT's Data Protection & Privacy team is offering a review service to assist you in identifying the best means of obtaining consent given the types of cookies used on your website. If you would like more information about the review service or have any queries about the forthcoming changes, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.