In May 2011, the EU Privacy and Communications Directive came into force which stated that all non-essential cookies used on websites must be clearly identified to the website’s users and that the website users must consent to the cookies being used (on an opt-in basis). The Information Commissioner’s Office (ICO) gave UK website owners a year’s grace in order to become compliant with the new law and that period expired on 26 May 2012.
What is a cookie?
A cookie is a small text file that helps organise and store browsing information. Common examples of non-essential cookies include Google Analytics which provides anonymous tracking data about website users, affiliate links, Google Adsense, cookies used to recognise a website user when they return to a site and cookies for advertising. Examples of essential cookies are those used to remember the goods a user wishes to buy when the user checks out, cookies for internet banking security and cookies that help pages to load more quickly.
Why was the law introduced?
The EU was concerned about consumers not being aware that their surfing behaviour is being monitored and data being stored for advertising purposes. Such behavioral advertising is carried out mainly with the use of “persistent” cookies. Hence the legislation seeks to impose a duty on website owners to tell their users about the cookies on the site and only be able to use such cookies with the website user’s informed prior consent.
What you need to do to comply
Firstly you need to identify what cookies are being used on your website. You can purchase cookie audit software for this purpose or undertake a free audit. However please note that such software tools are not 100% reliable.
Otherwise you can clear your browser cache, go onto your website and then look at the stored cookies. Then identify which are from your site and which are from a third party site. You then need to identify what purpose the cookies serve, do they contain personal information and whether they are being used to track the user and if so the lifespan of the cookie. You should also check any WordPress plugins that you have on your site.
Then you need to obtain a cookie policy and insert the details of your cookie audit into that policy and add it to your website. If you need a Cookie Policy, use the Contact Page to get in touch with us.
The final step is to obtain consent from your users to the use of non-essential cookies. If the only cookies on your site are essential then you do not need to obtain consent, but as most of you will at least use Google Analytics (which is non-essential), you will need to obtain consent.
Until 25 May 2012 (ie one day before the grace period expired), it had been thought that consent had to be on an opt-in basis (such as a website user ticking a box to consent to the use of cookies). This had been the problematic part of the Regulations as there was no recommended solution as to how to obtain consent from website users. Some possible options included:
Using a free code for an opt-in button that looks like this:
Or adding the code to your website for an opt-in box in the bottom right corner of your website.
If you have a wordpress site, the EU Cookie Directive WordPress Plugin displays an opt-in message at the top of your site and also lists in your admin panel the cookies you have installed. The opt-in message is customisable.
However on 25 May 2012, the ICO (perhaps under pressure from business lobbyists who argued that opt-in consent would overly restrict businesses in times when UK businesses need every help they can get) issued new guidance that stated that consent may be implied. What this means is that for step 3 of your compliance with the Regulations, rather than having an opt-in pop up as per the above examples, you simply need to state in your cookie policy that by continuing to use the website, the website user agrees to the use of cookies on the website.
What will happen if I’m not compliant ?
The ICO has the power to fine you £500,000 if your website is not compliant. However this is very unlikely. Firstly the ICO will not have a team of investigators tracking down non-compliant websites. And secondly, even if there is a complaint made against you, the ICO has commented that as long as website owners are “moving towards compliance” and are not “wilfully avoiding the regulations”, the ICO will work with website owners to help them be compliant rather than fine them. Indeed a Cabinet Office spokesman has commented that “the majority of government department websites will not be compliant with the legislation” by 26 May 2012.
Now that the ICO has issued guidance stating that implied consent is sufficient, it is actually quite an easy task for you to comply. Just carry out a cookie audit, assess how intrusive your cookies are and have a cookie policy on your website.
If you need a Cookie Policy, you can always contact us for small business legal advice or read the latest ICO guidance.
Copyright Suzanne Dibble 2012
You may reproduce this article if you provide the following copyright notice and credit “copyright Suzanne Dibble 2012. Suzanne Dibble is a multi-award winning business lawyer who specialises in e-commerce law. Suzanne has vast experience ranging from acting for plc’s on billion pound projects to helping micro businesses with their day to day business law requirements. To find out more about Suzanne and read the many testimonials from happy clients please see www.lawyers4mumpreneurs.com.”
