When an individual accesses a website, the website may set small files called cookies onto that individual’s computer or phone. Cookies enable the website to send and receive information to and from the individual’s web browser. Cookies have a large number of functions and uses, such as enabling a website to record the contents of a shopping basket or a website user’s preferences for any customisable aspects of the website. Cookies also play an important role in website analytics, advertising and in calculating the commissions payable for advertisements published on websites.
Cookies are overwhelmingly used for legitimate purposes and make surfing the internet an easier and more enjoyable process. However, some cookies can also be used to track, albeit anonymously, an internet user’s browsing activity and may therefore be considered to intrude on a website user’s privacy. It is this capability that has prompted new EU-based regulation (the Regulations)1.
How has the law changed?
Previously, a website user’s acceptance of cookies could be inferred by the website user’s internet browser settings; if a website user did not want to accept cookies, he or she would have configured their internet browser to reject all cookies. Under the Regulations, the operators of websites setting cookies must now obtain website users’ “freely given specific and informed consent”. This means that website users must now take positive action to communicate acceptance of cookies.
The Regulations came into law on 25 May 2011. However, the Information Commissioner’s Office (ICO), the public body responsible for enforcing the Regulations, has stated that the Regulations will not be enforced for the first year. The ICO expect organisations which set cookies to use this time to take steps towards compliance with the Regulations. It was not until mid-December 2011 that the ICO published meaningful guidance on how the Regulations will be interpreted or any practical advice on how to comply.
Consent may no longer be implied and should be given before any cookies are set. Consent to cookies need only be given once and may be given in respect of multiple cookies. Although a number of individuals may use the same device to access the internet, it is only necessary to obtain the consent of one of those users. A user can also consent to cookies being set by more than one website.
Third Party Cookies
If a cookie is being set by a website on behalf of a third party, both the website operator and the third party are responsible for ensuring that consent is obtained. Consent may be obtained by either the operator of the website or the third party, although in almost all cases it will be far easier for the website operator to obtain consent.
It is not necessary to obtain consent for cookies which are strictly necessary for the provision of services requested by the website user. Therefore, consent is not required for cookies to record the contents of a shopping basket, whereas consent is required for cookies to customise a website.
Informing Website Users
Website operators must decide for themselves what is an appropriate method of obtaining consent, which will depend on how cookies are used.
Pop-ups requesting users to confirm whether or not they accept cookies are the most effective way of obtaining consent, but may spoil the experience of using the website. Alternatively, your organisation’s website may be able to use a banner to request consent. This banner need not prevent website users from accessing other areas of the website if he or she fails to provide a response. This banner should be repeated on other pages of the website, but perhaps in a smaller format, until the website user has indicated whether or not he or she is willing to accept cookies. If your organisation’s website already requires users to sign in and agree to terms and conditions of use, these terms and conditions could be amended to cover consent.
Third Party Consent
If websites set cookies on behalf of your organisation, your organisation should enter an agreement (or amend any existing agreement) which compels the operators of those websites to obtain the appropriate consents. If your organisation’s website sets cookies on behalf of a third party, that third party should be identified to users of your organisation’s website.
Cookies are very extensively used for a variety of purposes. However, what cookies are and what they do is not widely known by the general public. Some argue that what people do not know does not hurt them, and indeed there has been no significant public opposition to cookies as they are currently used. On the other hand, it is argued that a general lack of awareness is all the more reason to draw cookies to the public’s attention.
A final thought: If a website user does not accept cookies, how will the websites he or she visits remember that preference without a cookie?
1 The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force in the UK in december 2003, implementing European Directive 2002/58/EC. The Privacy and Electronic Communications (EC Directive) Regulations 2003 have now been amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2003, implementing European Directive 2009/136/EC.
Marriott Harrison LLP, MH Media & Technology
Marriott Harrison LLP