News and Events

Cookies - have you got consent?

  • Posted

No I am not referring to the edible variety! I am talking about small pieces of information that most websites store on the browser or the hard drive of your computer. This may be done for a variety of reasons, such as making the website easier to use (e.g. by remembering your password so you do not need to enter it every time you access the site) or tracing your usage for marketing analysis purposes.

The law relating to cookies was recently amended to include a requirement to seek consent before storing cookies on a user’s device. The Information Commissioner’s Office (ICO), which is responsible for enforcing the legislation in the UK, decided that website operators would be given a grace period of 12 months to implement the new rules. As this period came to an end on 26 May 2012, if you operate a website, you must now ensure that you get consent and give users the ability to opt-out from having cookies stored on their computer.

So, how do you obtain consent? Well, this question has been the subject of much debate and the ICO appeared to change the goalposts at the last minute by issuing revised guidance at the end of May 2012 indicating that implied consent may be acceptable after all. Their previous guidance had suggested that implied consent was not appropriate.

Does this change, in opinion, mean that you can get consent by putting a statement in your privacy policy to that effect? No, it does not. The ICO guidance is clear that information on cookies must be given prominently and that, for example, information that is given only as part of a privacy policy which is hard to find, difficult to understand or rarely read will not be sufficient. Furthermore, the guidance points out that implied consent is only acceptable in certain circumstances.

As every website is different, it is important for a business to consider the best way for their site to obtain consent and to take legal advice regarding this as early as possible. It is expected that the ICO will start to take action in the coming weeks and months against operators who are not complying with the law. Many businesses have already taken practical steps to comply with the new law and, as people get used to seeing information about cookies on the websites they visit, it will become easier to spot a site that has done nothing!