Chester 01244 405555

Grosvenor Court
Foregate Street Chester
Cheshire CH1 1HG
DX: 19990 Chester

Shrewsbury 01743 443 043

Lakeside House
Oxon Business Park
Shrewsbury SY3 5HJ
DX: 148563 Shrewsbury 14

Airport City, Manchester 0844 800 8346

Office 129
Manchester Business Park
3000 Aviator Way
Manchester M22 5TG

Send us a message
Our Offices

New Cookie Regulations, Are You Ready?

2nd March, 2012

Sadly, this is not to do with the number of chocolate chips in each one!  This is about those cookies which are, according to the definition in the Information Commissioner’s Office (ICO) Guidance on the rules on use of cookies and similar technologies – December 2011, “a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites.  Cookies allow a website to recognise a user’s device.”

You have until May 2012 to comply with the new rules set out in the guidelines.

In essence, Cookies are small files that websites put on your hard drive.  They can be benign and help you access sites more easily and process orders better or they can be malicious and gather sensitive data from your PC which can then be used or sold without your knowledge or permission.

For example, the BBC website may put up to 26 cookies onto your PC!

To find out lots more about cookies, look at (pro-cookie) or (anti-cookie).

The new Guidelines from the Information Commissioner pick up on the snappily named Privacy and Electronic Communications (EC Directive) Regulations 2003 which have now been further updated by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011; these are better known as PECR.  The PECR set down rules for cookies stating that users must be provided with information about the cookies your website puts on their hard disk and an opportunity to remove them.  If your website uses cookies, you will need a Privacy Policy and comply with the cookie regulations.

The regulations apply to cookies and also to similar technologies for storing information.  This includes, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).

There are different types of cookies:

  • Session cookies are placed onto the user’s computer whilst they browse a particular site and are removed at the end of their visit.  They help navigate the user through the site and, for example, remember items placed in an online shopping basket.
  • Persistent cookies remain on the user’s PC between sessions.  These can be useful to remember your preferences and to personalise your journey.  For example Amazon knows what you have bought or browsed before and makes recommendations, or a supermarket remembers your regular shopping list.
  • First party cookies are put on your PC by the site you visit and third party cookies are put on your PC by others.  Websites often sell cookie space to third parties.  Again this can be benign and make sure you get “targeted” adverts when you visit a site, or can be more sinister.

You can alter your PC’s ability to accept cookies in your browser settings, but then the websites you visit may not work as well.

So if you have a website, it will probably have cookies.  What must you do?

If your cookie collects data that can be linked to a name, a postal address or even an e-mail address, that information will amount to personal data and will be subject to the Data Protection Act 1998.

Otherwise, the new regulations provide that the use of cookies is only allowed if the user:

  • Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
  • Has given his or her consent.

Consent is not clearly defined in the Regulations and the level of information required to be given is not clear either.  This is confounded by the difficulty of knowing the level of technical ability that any given user might have.

There is an interesting and not yet clear issue between user and subscriber.  The person who pays the bill is the subscriber, but the person using the browser is the user.  If a child is using a website on their parent’s connection, who has to give consent?

To look at the information required you should get your IT manager or provider to conduct a cookie audit.  What sorts of cookies is your website using?  The ICO suggests a table listing all the cookies, what they are called and what they do, along with more information if required.  Alternatively, the ICO has suggested some generic wording starting “our website uses [x number of] cookies …”.

The users must “signify” their consent.  This must be a conscious act by the user and should be before the user accepts the cookie.  This causes a problem as most websites send their cookies as soon as the user lands on them.  There are some minor exceptions to consent for subscription services and telecoms services.

Some of the ways that websites are doing this is through prominent links, icons and news items and blog posts.  A pop up window which asked users to check a consent box would be ideal, although many browsers are set to block pop-ups and sites don’t want messages that get in the way of the browsing experience.  A static and prominent banner is used by many sites, but it is questionable whether that is informed consent.

Where the site asks for preferences to be added for future visits, then a box could be added for cookie consent.

The ICO uses the following example [1]:

If the user clicks on I agree all is fine or if they bypass it, implied consent may be given.  Obviously, if they click on No thanks, cookies may not be loaded.

Getting consent for third party cookies is even more complex as there are multiple parties involved.

Once approval has been given it does not need to be given again for the same user on the same site, but there must be a way on all sites of withdrawing consent and having cookies removed.  This should form part of your privacy policy.

So, if you were looking for an easy answer in this article, you will be disappointed.  The ICO guidance includes the words ”may” and “think about” and even “challenging”.

In conclusion, you must conduct a cookie audit to see what you are using, you must provide information to users of your site, you should get their opt-in consent and provide a way for them to withdraw their consent.

You also need to review your internet Terms of Use and your internet Privacy Policy.

The items touched on briefly in this article should not be taken as specific legal advice; they are merely pointers to the issues that are out there.  Additionally there are rules about data, the use of electronic communications, the use of location data and rules about selling on the internet.  These are exciting times on-line but if you use the web to sell, directly or indirectly, you must be aware of the issues.


[1] From: Information Commissioner’s Office (ICO) – Guidance on the rules on use of cookies and similar technologies – December 2011


You might also be interested in...


Coronavirus Job Retention Scheme (Furlough Agreement)

27th March, 2020

What is this; who is eligible and what should employers be doing? The Chancellor has put in place... Read More »

Households with key workers

27th March, 2020

We all need to do what we can to reduce the spread of the COVID-19 virus. Government Guidance... Read More »

Coronavirus Act – Registration of Deaths

27th March, 2020

The Coronavirus Act 2020 makes important changes to the current rules relating to the registration of deaths in... Read More »

Contact Us
Secured By miniOrange