Since 26 May 2012 the Information Commissioner’s Office (ICO) has had the ability to consider complaints about website cookies and has also had the ability to consider using its enforcement powers to compel website owners/operators (Operators) to comply with the legal requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended.
Subject to certain exceptions, the setting of cookies on website users’ (“Users”) computers will only be allowed:
1. When the User has been provided with clear and comprehensive information about the purpose for which the cookie is stored and accessed; and
2. The User has given their consent.
The ICO has made it clear that Operators should obtain a User’s consent (1) before the cookie is set and (2) that consent is obtained through an affirmative step on the part of the User.
On 25 May 2012, the ICO confirmed that Operators may rely on “implied consent” but that such consent has to be a “freely given, specific and informed indication of the individual’s wishes” and there has to be some action taken by the consenting individual from which their consent can be inferred (e.g. by moving from one page to another or clicking on a particular button). The ICO states that the “key point …is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set”.
Operators will not be required to obtain a User’s consent prior to setting any “essential” cookies. These are cookies which are “strictly necessary” to provide the User with a service requested by them (e.g. an online shopping-basket facility where the website needs to remember products chosen by a User on a previous page). The ICO have stated, however, that this exception must be interpreted quite narrowly in view of the Regulations’ use of the phrase “strictly necessary”.
The Information Commissioner has a range of options available to take formal action against Operators to ensure compliance with the Regulations including:
• Information Notice – requiring an Operator to provide specified information within a certain timeframe;
• Undertaking – committing an Operator to a particular course of action (e.g. to start obtaining the necessary consents);
• Enforcement Notice – compelling an Operator to take certain actions (e.g. to start obtaining the necessary consents). Failure to do so can be a criminal offence; and
• Monetary Penalty Notice – requiring an Operator to pay monetary penalty of an amount determined by the ICO. The maximum penalty is currently £500,000.
How Edwin Coe can help
We can provide:
• Checklists for Operators to carryout their own “cookie audit”;
• Advice on how to provide information about cookies used on a website;
• Advice on how such information can be brought to the User’s attention;
• Guidance on how in practice to obtain a User’s consent; and
• Advice on the related matter of the Data Protection Act and the personal data an Operator collects from Users.
We can advise Users on:
• Bringing complaints to the ICO in relation an Operators’ breach of the Regulations in relation to cookies set on the User’s computer; and
• In relation to the misuse of a User’s personal data by an Operator.
If you would like any further information or advice in relation to this matter please contact firstname.lastname@example.org or call 020 7691 4054.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.