Back
Get in Touch Menu

The way the cookie crumbles …

12 July 2012

Most businesses these day use cookies on their websites – either to assist with the browsing experience enjoyed by end-users or to collect vital data about how the site is used.

What are cookies?

In their basic form, cookies are strings of data which are downloaded onto a device when it accesses the internet. Therefore, they allow the online behaviour of a device (and its user) to be monitored. There are four main categories of cookies:

  • Targeting or advertising cookies: these constitute the basis for third party advertising, and include recording visits to particular websites which demonstrate interest ‘segments’ of the computer user. Information is shared with third parties who can tailor adverts according to online behaviour.
  • Functionality cookies: these recognise users who return to a website, enabling eg personalised greetings, language, region or other personalised settings and displaying tailored updates or news feeds.
  • Performance cookies: these may be used by websites to monitor the number of visitors there are on a website and most popular pages.
  • ‘Strictly necessary’ cookies: these include cookies which enable entry into secure areas of websites, use of online shopping carts and e-billing services. They are generally exempt from the consent and notice requirements in the regulations. These are only broad categories and cookies may perform multiple functions.

The regulations

The regulations require website users to be informed that cookies are being used and their consent to be sought (other than for ‘strictly necessary’ cookies). Fines of up to £500,000 can be imposed for noncompliance and the Information Commissioner will be responsible for enforcement.

Consent

The user’s/subscriber’s consent must be informed and cannot be inferred or deemed from, say, a lack of response. Though no specific solution is endorsed, guidance sets out options including ‘pop-up’ boxes or banners. Pop-ups seem to be a popular solution, looking at various mainstream websites that have complied to date.

Website owners also need to demonstrate that they are doing as much as possible to minimise the delay between introducing or ‘placing’ a cookie and informing and obtaining consent from end-users.

Browser settings

Browser settings may offer a method to indicate consent to the use of given categories of cookies (and to exclude others). However, it must be clear that consent has been given in some way by the end-user/subscriber.

A practical limitation is that not all users/subscribers will use web browsers which are sophisticated enough to provide such enhanced privacy settings.

Information to be provided

No formal guidance has been provided but possible ways of informing users could include:

  • altering the visual appearance of the privacy policy or inserting the word ‘NEW!’ next to a link to it
  • moving the link to the privacy policy to a prominent part of the website
  • renaming the privacy policy ‘cookies and privacy policy’, possibly with a separate link to a cookies policy
  • using icons or images which link to further information.

Responsibility for compliance

A person who uses cookies for their own purposes will be responsible for complying with the regulations. However, where a website’s cookies provide information to third parties, responsibility for compliance probably falls on both website operator and the person setting the cookies.

Exemptions

A narrow exemption still remains for ‘strictly necessary’ cookies, referred to above. Consideration therefore needs to be given as to what category a cookie belongs to.

Practical step for businesses

Businesses with websites should check what cookies are being used, assess their intrusiveness, identify any obsolete cookies and take appropriate action. This should involve carrying out a cookie audit. For such audits, businesses must have clear communication at least between their website designers, marketing and commercial departments and their legal team.

To amend terms and conditions of use and the site’s privacy policy, additional steps may be required.

Finally, if a website enables users to select personalised settings for their experience on the website, consent to the use of relevant cookies may be built into the setup process.

As always, if you need commercial and pragmatic legal advice, we’re here to help so please get in touch.

Contact us

Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
Contact
Matthew Clayton MA LLM (Cantab), CIPP/E
Partner
View profile
Mathew Clayton
Related services
Share this article
Resources to help

Related articles

Unearthing the implicit duty of cooperation in commercial contracts

Commercial

In the world of business, contracts are the bedrock upon which deals are built. These carefully crafted documents are a testament to the mutual understanding between parties, outlining their respective…

Richard Holland BA (Hons)
Senior associate, solicitor

Why sole director companies should check articles of association

Corporate

A recent case has highlighted the importance of ensuring a company is incorporated with carefully drafted articles of association, if there is only one director. All limited companies must have…

Helen Howes LLM
Senior associate, solicitor

SCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA

GDPR & data protection

This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…

Kym Fletcher LLB (Hons) Euro
Consultant, solicitor
Contact us