Website cookies: time to comply

Since 26 May 2012 the Information Commissioner’s Office (ICO) has had the ability to consider complaints about website cookies and has also had the ability to consider using its enforcement powers to compel website owners/operators (Operators) to comply with the legal requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended.

Subject to certain exceptions, the setting of cookies on website users’ (“Users”) computers will only be allowed:

1. When the User has been provided with clear and comprehensive information about the purpose for which the cookie is stored and accessed; and

2. The User has given their consent.

The ICO has made it clear that Operators should obtain a User’s consent (1) before the cookie is set and (2) that consent is obtained through an affirmative step on the part of the User.

Implied Consent

On 25 May 2012, the ICO confirmed that Operators may rely on “implied consent” but that such consent has to be a “freely given, specific and informed indication of the individual’s wishes” and there has to be some action taken by the consenting individual from which their consent can be inferred (e.g. by moving from one page to another or clicking on a particular button). The ICO states that the “key point …is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set”.

Main Exception

Operators will not be required to obtain a User’s consent prior to setting any “essential” cookies. These are cookies which are “strictly necessary” to provide the User with a service requested by them (e.g. an online shopping-basket facility where the website needs to remember products chosen by a User on a previous page). The ICO have stated, however, that this exception must be interpreted quite narrowly in view of the Regulations’ use of the phrase “strictly necessary”.

Enforcement/Penalties

The Information Commissioner has a range of options available to take formal action against Operators to ensure compliance with the Regulations including:

• Information Notice – requiring an Operator to provide specified information within a certain timeframe;

• Undertaking – committing an Operator to a particular course of action (e.g. to start obtaining the necessary consents);

• Enforcement Notice – compelling an Operator to take certain actions (e.g. to start obtaining the necessary consents). Failure to do so can be a criminal offence; and

• Monetary Penalty Notice – requiring an Operator to pay monetary penalty of an amount determined by the ICO. The maximum penalty is currently £500,000.

How Edwin Coe can help

Operators

We can provide:

• Checklists for Operators to carryout their own “cookie audit”;

• Advice on how to provide information about cookies used on a website;

• Advice on how such information can be brought to the User’s attention;

• Guidance on how in practice to obtain a User’s consent; and

• Advice on the related matter of the Data Protection Act and the personal data an Operator collects from Users.

Users

We can advise Users on:

• Bringing complaints to the ICO in relation an Operators’ breach of the Regulations in relation to cookies set on the User’s computer; and

• In relation to the misuse of a User’s personal data by an Operator.

If you would like any further information or advice in relation to this matter please contact simon.miles@edwincoe.com or call 020 7691 4054.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now