Back
We continue to provide our legal services through the COVID-19 lockdown. Please visit our COVID-19 Hub for legal insights, or contact us directly.
Get in Touch Menu

The way the cookie crumbles …

12 July 2012

Most businesses these day use cookies on their websites – either to assist with the browsing experience enjoyed by end-users or to collect vital data about how the site is used.

What are cookies?

In their basic form, cookies are strings of data which are downloaded onto a device when it accesses the internet. Therefore, they allow the online behaviour of a device (and its user) to be monitored. There are four main categories of cookies:

  • Targeting or advertising cookies: these constitute the basis for third party advertising, and include recording visits to particular websites which demonstrate interest ‘segments’ of the computer user. Information is shared with third parties who can tailor adverts according to online behaviour.
  • Functionality cookies: these recognise users who return to a website, enabling eg personalised greetings, language, region or other personalised settings and displaying tailored updates or news feeds.
  • Performance cookies: these may be used by websites to monitor the number of visitors there are on a website and most popular pages.
  • ‘Strictly necessary’ cookies: these include cookies which enable entry into secure areas of websites, use of online shopping carts and e-billing services. They are generally exempt from the consent and notice requirements in the regulations. These are only broad categories and cookies may perform multiple functions.

The regulations

The regulations require website users to be informed that cookies are being used and their consent to be sought (other than for ‘strictly necessary’ cookies). Fines of up to £500,000 can be imposed for noncompliance and the Information Commissioner will be responsible for enforcement.

Consent

The user’s/subscriber’s consent must be informed and cannot be inferred or deemed from, say, a lack of response. Though no specific solution is endorsed, guidance sets out options including ‘pop-up’ boxes or banners. Pop-ups seem to be a popular solution, looking at various mainstream websites that have complied to date.

Website owners also need to demonstrate that they are doing as much as possible to minimise the delay between introducing or ‘placing’ a cookie and informing and obtaining consent from end-users.

Browser settings

Browser settings may offer a method to indicate consent to the use of given categories of cookies (and to exclude others). However, it must be clear that consent has been given in some way by the end-user/subscriber.

A practical limitation is that not all users/subscribers will use web browsers which are sophisticated enough to provide such enhanced privacy settings.

Information to be provided

No formal guidance has been provided but possible ways of informing users could include:

  • altering the visual appearance of the privacy policy or inserting the word ‘NEW!’ next to a link to it
  • moving the link to the privacy policy to a prominent part of the website
  • renaming the privacy policy ‘cookies and privacy policy’, possibly with a separate link to a cookies policy
  • using icons or images which link to further information.

Responsibility for compliance

A person who uses cookies for their own purposes will be responsible for complying with the regulations. However, where a website’s cookies provide information to third parties, responsibility for compliance probably falls on both website operator and the person setting the cookies.

Exemptions

A narrow exemption still remains for ‘strictly necessary’ cookies, referred to above. Consideration therefore needs to be given as to what category a cookie belongs to.

Practical step for businesses

Businesses with websites should check what cookies are being used, assess their intrusiveness, identify any obsolete cookies and take appropriate action. This should involve carrying out a cookie audit. For such audits, businesses must have clear communication at least between their website designers, marketing and commercial departments and their legal team.

To amend terms and conditions of use and the site’s privacy policy, additional steps may be required.

Finally, if a website enables users to select personalised settings for their experience on the website, consent to the use of relevant cookies may be built into the setup process.

As always, if you need commercial and pragmatic legal advice, we’re here to help so please get in touch.

Contact us

Contact
Matthew Clayton MA LLM (Cantab), CIPP/E
Partner
View profile
Mathew Clayton
Related services
Share this article
Resources to help

Related articles

Corporate & commercial issues: COVID-19 FAQ

Corporate

The global outbreak of coronavirus (COVID-19) and the government’s resulting emergency measures have had severe implications for many businesses. Read on for answers to some frequently-asked questions on corporate &…

Sophie Martyn BSc (Hons)
Associate, solicitor

Fixed price legal advice for SMEs & the Coronavirus Business Interruption Loan Scheme

Corporate

The Coronavirus Business Interruption Loan Scheme (CBILS) has thrown a much-needed lifeline to businesses experiencing cashflow difficulties as a result of the coronavirus outbreak. The eligibility criteria of CBILS was…

Chris Wills LLB (Hons)
Partner

Commercial contracts & coronavirus: What are the implications?

Commercial

As the coronavirus (COVID-19) pandemic develops, we have seen significant disruption to businesses across multiple sectors in the UK. Understandably, this has led to widespread concern about the implications for…

Sophie Martyn BSc (Hons)
Associate, solicitor
Contact us