• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

Cookies – getting the recipe right

Given that virtually every website and many marketing e-mails use cookies, it is important for all organisations to note that the law has changed regarding the use of cookies - it is no longer enough simply to tell website users/recipients about cookies and allow them to opt out. There is now a requirement to obtain consent to the use of cookies and similar technologies on websites and as part of marketing activities.

Background

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, sometimes referred to as 'the cookie laws', (‘the Regulations’) came into effect in May 2011 but they started to be actively enforced from 26^th May 2012.

What is a 'cookie'?

A 'cookie' in the context of a website is a small file of computer code that is invisibly placed on a device when a user accesses a website or a marketing e-mail to enable the website owner or advertiser to distinguish individual visitors/devices and gather useful information. A typical cookie, for example, recognises the user and means that there is no need for that user to sign in with all the usual details every time a website is visited and that the user receives a more personalised view of the website.

Guidance

The Information Commissioner's Office, the UK’s data protection and privacy regulator, (‘ICO’) has updated its advice and guidance on changes to the EU cookie laws (see the 'ICO Guidance') on how organisations can comply with the rules on the use of cookies and similar technologies.  This replaces the guidelines issued in December 2011, in which the ICO had stated that implied consent would not be acceptable to achieve compliance. However, the ICO Guidance now suggests that implied consent may be sufficient in the context of storage of information or access to information using cookies at least where non-sensitive personal data is concerned (see below).

When do the Regulations apply?

The Regulations apply whether or not any particular individual can be identified as a result of the use of a cookie. Where an individual can be identified from the information obtained, then this involves processing personal data and compliance with the Data Protection Act 1998 is also required.

When can cookies be used?

Under the Regulations, the use of cookies is only allowed if the user concerned:

• has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; or
• has given his or her consent.

The second requirement for consent is the major change.

Are there any exemptions?

The main exemption from the obligation to get consent is where the cookies are ‘strictly necessary’ for a service which the user has requested.  This exception will be narrowly construed. The ICO Guidance states that the following cookies are likely to be considered ‘strictly necessary’, those which:

• remember the goods a user wishes to buy when they ‘proceed to checkout’ or add goods to their virtual basket;
• provide essential security to comply with data protection law (such as in connection with online banking services); or
• ensure that the content of a page loads effectively by distributing workload across numerous computers. 

The following uses are not considered strictly necessary and hence consent is necessary for cookies which:

• are used for analytical purposes (eg counting the number of unique visits);
• are used for first and third-party advertising; and
• recognise a user when they return so that the website can be tailored.

Compliance 

The Regulations do not define who should be responsible for compliance but the person setting the cookie is primarily responsible. Where cookies are set by a third party (normally an advertiser or advertising network), both the website owner and the third party will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

What is critical is not who obtains the consent but that valid, well-informed consent is obtained. Consent need not necessarily be obtained from each and every user of a particular device. Indeed, it may not always be possible to distinguish between individual users. Consent does, however, at the very least need to be obtained from one of (a) the subscriber (the person who pays the access bill); or (b) a user.

Third parties setting cookies or providing a product or service that requires the setting of cookies, for example, advertising networks that want to place cookies on users' equipment through a website that they do not operate themselves, may wish to include a contractual obligation into agreements with website owners to satisfy themselves that appropriate steps will be taken to provide appropriate information about third party cookies and obtain the necessary consent (see below).

Non-compliance

The ICO has the ability to fine organisations up to £500,000 if it believes an infraction is serious enough as well as to impose other enforcement measures. Although the ICO has stated that a monetary fine would be at the extreme end of enforcement applied and it does not anticipate a wave of enforcement action, it does expect organisations to have used the adjustment period since May 2011 productively and to have ensured that they are working towards becoming fully compliant. In reality, if a website owner is found to be non-compliant but there are no major privacy issues, an information notice or enforcement notice may be all that is issued, requiring certain information to be supplied or a particular action be carried out by a certain date.

Requirement to provide information

For most users it will be appropriate to provide information in the form of an explanation of the way cookies operate and the categories of cookies used on the particular website. No specific form of information is mandatory but the explanation provided must be ‘sufficiently full and intelligible to allow individuals to clearly understand’ the information being collected and why. Explanatory information must be ‘readily available’. In April 2012 the International Chamber of Commerce (‘ICC’) produced a guide to help organisations comply with the law, see the ICC Cookie Guide, which provides some suggested wording.

The ICO advises that rather than simply including the information about cookies in a privacy policy, businesses should consider setting up a separate web page with a prominent link on the home page or possibly on every page of the website. The link should preferably have a title that makes it clear that this is where information about cookies can be found such as ‘Read here about how we use cookies’ and, as far as is possible, the information should be in clear language that is easy to understand.

Requirement to obtain consent

Some suggestions for methods of obtaining consent are outlined in the ICO Guidance:

• as users accept website terms of use;
• as users select website settings (for example, explaining that by choosing a language setting, the user consents to the use of a cookie to remember this setting);
• as users register for, ‘switch on’ or initiate or activate website features (such as personalisation of web pages); or
• using tick boxes in pop-up windows or header bars or other notice and choice mechanisms. (In this context, it is important to remember that consent need not be sought every time a user enters a website.)

In relation to users selecting preferences or enabling features, in practice it will normally be sufficient to make it clear to the user that these will be set or enabled by using a cookie (with a link to the more detailed cookie information). If the user then proceeds to choose the preference or enable the setting, his consent to the setting of the relevant cookie can be assumed.

Implied consent

The ICO has changed its earlier position on implied consent and has clarified that although an explicit opt-in mechanism might provide regulatory certainty, in some circumstances implied consent might be sufficient.  Website operators need to remember that where their activities result in the collection of sensitive personal data such as information about an identifiable individual’s health, then data protection law might require them to obtain actual consent.

The two key requirements of implied consent according to the ICO Guidance are:

Information – website users need to be given a clear notice that the website uses cookies and an explanation of what they are used for. The information must be:

• ‘clear and relevant’ and should result in a shared understanding between the provider and the user on the way in which and the extent to which cookies are used;
• be given prominently. For example, information that is given only as part of a privacy policy that is ‘hard to find, difficult to understand or rarely read’ will not be adequate. The ICO leaves it to providers to establish the exact ways in which they choose to provide this information but the ICO Guidance sets out some factors providers should bear in mind when looking at the level of information to be provided and the way in which it is brought to users’ attention. These include:
  • the nature of the intended audience of the site, for example, whether the site is directed at a technically aware audience or not;
  • the way in which users generally expect to receive information from and on the site; and
  • making sure the language is appropriate for the audience. Highly technical language should be avoided.

Choice – visitors to a site should be able to control the setting of cookies even if the consequences might be loss of functionality for that visitor. The website provider must satisfy itself that the user’s actions are not only an explicit request for content or services but also amount to an indirect expression of the user’s consent to the setting of cookies. Consent might be inferred for example when a user visits a website, moves from one page to another or clicks on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.

If the website includes a clear and unavoidable notice that cookies will be used if the user enters the site, and if the user then clicks through and continues to use the site, this would be sufficient to imply consent.

Changes to purposes

If the purposes of the cookies used change significantly after consent has been obtained, it will be necessary to make users aware of the changes and allow them to make an informed choice as any consent obtained previously will be insufficient.

Withdrawal of consent

Users must be allowed to withdraw consent at any time and sufficient information must be given as to how that can be done.

Effect on EU compliance

This change in position by the ICO may set it against the majority of data protection regulators in other EU member states and the Article 29 Working Party, which has clearly ruled out the use of implied consent. By the ICO's own admission, this may lead to difficulties for UK providers who place cookies on the equipment of non-UK EU citizens on the basis of implied consent.

What should you do?

If you have not started work on complying with the Regulations, it is important to do so now. First steps should be to:

• Check for further information and guidance - see the ICO website.
• Do an audit - check what type of cookies and similar technologies you use and how you use them.
• Assess how intrusive your use of cookies is - the more intrusive to privacy, the more priority you will need to give to getting meaningful consent. The ICC Cookie Guide has some useful pointers on how to make this assessment by dividing cookies into different categories.
• Decide what solution to obtain consent will be best in your circumstances - the ICO has made it clear that consent should involve “some form of communication where the individual knowingly indicates their acceptance” . See above for suggestions on how to obtain consent although in practice how easy this will be for many businesses remains to be seen.

What has TRG done?

We have taken a pragmatic view about what we can and must do in relation to the use of cookies and similar technologies on our website and by distributing our email newsletters, the TRG Update and the TRG Executive BRIEFing. The steps we have taken to comply with the new law therefore are:

• provided a new link to our privacy & cookies policy in the footer on each page of our website;
• updated our privacy & cookies policy, for example to include more details regarding the use of cookies on our website, provide links to further information and give details of how to prevent cookies being set;
• put a new link on our home page ‘Read about how we use cookies’. This links to the privacy & cookies policy which hopefully brings this to the attention of visitors in a more prominent way; and
• provided an equivalent link in the TRG Update and the TRG Executive BRIEFing.

If you require any advice on complying with the Regulations, please contact us at info@TRGlaw.com.

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com