Chester 01244 405 555

Grosvenor Court
Foregate Street Chester
Cheshire CH1 1HG
DX: 19990 Chester


Shrewsbury 01743 443043

Lakeside House
Oxon Business Park
Shrewsbury SY3 5HJ
DX: 148563 Shrewsbury 14

Greater Manchester 0333 241 6886

Kennedy House,
31 Stamford St,
Altrincham WA14 1ES

2nd March, 2012

New Cookie Regulations, Are You Ready?

Sadly, this is not to do with the number of chocolate chips in each one!  This is about those cookies which are, according to the definition in the Information Commissioner’s Office (ICO) Guidance on the rules on use of cookies and similar technologies – December 2011, “a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites.  Cookies allow a website to recognise a user’s device.”

You have until May 2012 to comply with the new rules set out in the guidelines.

In essence, Cookies are small files that websites put on your hard drive.  They can be benign and help you access sites more easily and process orders better or they can be malicious and gather sensitive data from your PC which can then be used or sold without your knowledge or permission.

For example, the BBC website may put up to 26 cookies onto your PC!

To find out lots more about cookies, look at (pro-cookie) or (anti-cookie).

The new Guidelines from the Information Commissioner pick up on the snappily named Privacy and Electronic Communications (EC Directive) Regulations 2003 which have now been further updated by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011; these are better known as PECR.  The PECR set down rules for cookies stating that users must be provided with information about the cookies your website puts on their hard disk and an opportunity to remove them.  If your website uses cookies, you will need a Privacy Policy and comply with the cookie regulations.

The regulations apply to cookies and also to similar technologies for storing information.  This includes, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).

There are different types of cookies:

  • Session cookies are placed onto the user’s computer whilst they browse a particular site and are removed at the end of their visit.  They help navigate the user through the site and, for example, remember items placed in an online shopping basket.
  • Persistent cookies remain on the user’s PC between sessions.  These can be useful to remember your preferences and to personalise your journey.  For example Amazon knows what you have bought or browsed before and makes recommendations, or a supermarket remembers your regular shopping list.
  • First party cookies are put on your PC by the site you visit and third party cookies are put on your PC by others.  Websites often sell cookie space to third parties.  Again this can be benign and make sure you get “targeted” adverts when you visit a site, or can be more sinister.

You can alter your PC’s ability to accept cookies in your browser settings, but then the websites you visit may not work as well.

So if you have a website, it will probably have cookies.  What must you do?

If your cookie collects data that can be linked to a name, a postal address or even an e-mail address, that information will amount to personal data and will be subject to the Data Protection Act 1998.

Otherwise, the new regulations provide that the use of cookies is only allowed if the user:

  • Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
  • Has given his or her consent.

Consent is not clearly defined in the Regulations and the level of information required to be given is not clear either.  This is confounded by the difficulty of knowing the level of technical ability that any given user might have.

There is an interesting and not yet clear issue between user and subscriber.  The person who pays the bill is the subscriber, but the person using the browser is the user.  If a child is using a website on their parent’s connection, who has to give consent?

To look at the information required you should get your IT manager or provider to conduct a cookie audit.  What sorts of cookies is your website using?  The ICO suggests a table listing all the cookies, what they are called and what they do, along with more information if required.  Alternatively, the ICO has suggested some generic wording starting “our website uses [x number of] cookies …”.

The users must “signify” their consent.  This must be a conscious act by the user and should be before the user accepts the cookie.  This causes a problem as most websites send their cookies as soon as the user lands on them.  There are some minor exceptions to consent for subscription services and telecoms services.

Some of the ways that websites are doing this is through prominent links, icons and news items and blog posts.  A pop up window which asked users to check a consent box would be ideal, although many browsers are set to block pop-ups and sites don’t want messages that get in the way of the browsing experience.  A static and prominent banner is used by many sites, but it is questionable whether that is informed consent.

Where the site asks for preferences to be added for future visits, then a box could be added for cookie consent.

The ICO uses the following example [1]:

If the user clicks on I agree all is fine or if they bypass it, implied consent may be given.  Obviously, if they click on No thanks, cookies may not be loaded.

Getting consent for third party cookies is even more complex as there are multiple parties involved.

Once approval has been given it does not need to be given again for the same user on the same site, but there must be a way on all sites of withdrawing consent and having cookies removed.  This should form part of your privacy policy.

So, if you were looking for an easy answer in this article, you will be disappointed.  The ICO guidance includes the words ”may” and “think about” and even “challenging”.

In conclusion, you must conduct a cookie audit to see what you are using, you must provide information to users of your site, you should get their opt-in consent and provide a way for them to withdraw their consent.

You also need to review your internet Terms of Use and your internet Privacy Policy.

The items touched on briefly in this article should not be taken as specific legal advice; they are merely pointers to the issues that are out there.  Additionally there are rules about data, the use of electronic communications, the use of location data and rules about selling on the internet.  These are exciting times on-line but if you use the web to sell, directly or indirectly, you must be aware of the issues.


[1] From: Information Commissioner’s Office (ICO) – Guidance on the rules on use of cookies and similar technologies – December 2011


Contact Us

You might also be interested in...

A Sponsor Licence and Skilled Workers: Employing overseas nationals

22nd November, 2022

With a growing labour shortage in the UK, it is becoming more prevalent for UK businesses to begin... Read More »

Health and Care Worker

Routes to the UK: The Health and Care Worker Visa

22nd November, 2022

It is well reported that the UK has been experiencing labour shortages in the health sector for a... Read More »

The World Cup 2022: HR and employment law issues employers may face

18th November, 2022

With the 2022 FIFA World Cup just around the corner, and a month of football ahead, our employment... Read More »

Contact Us