The UK law restricting cookies from websites will come into effect on 25th May 2012, giving websites a year to comply with the new act. This gives you time to gradually phase in the right approach to recognise user’s online privacy concerns. The UK government has updated the Privacy and Electronic Communications Regulations in response to the EU Directive to enforce the law.

Cookies are used for a variety of things but are generally used by third parties to analyse our browsing habits and are useful for us to remember log-in details on different websites. Most importantly the use of tracking cookies is what the EU law wants to raise awareness of, by requiring websites to inform and gain users absolute consent for cookies to give web users more control over their online privacy.

Settings within Microsoft IE9 and Mozilla Firefox already offer to protect users from sites that collect and keep browser data. Whilst Google Chrome is still working at integrating a non-tracking service into their browser. This new rule on cookies will be challenging but it is needed to be brought into place to give consumers more freedom in about what companies know about them. The Information Commissioner’s Office (ICO) is in charge of implementing the law and will be looking for a solution over the year for both online businesses and web users.

The Old Cookie Law

The former rule on using cookies to store information was that you had to tell users how you use cookies and how they can opt out. This information is usually shown in website’s privacy policies giving users the possible option of opting out.

This rule is set out in the Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR):

6. (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information

The New Cookie Law!

The new law now requires that cookies can only be placed on machines where the user has given their consent.

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment–

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for

the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

There is a narrow exception to this change in the law if what you are doing is absolutely necessary for a website or service requested by the user. For example, a cookie used by a retailer to ensure a user has chosen products they wish to purchase and clicks to ‘add to basket’ for the site to remember what the user has bought. The exception to this type of activity will need to be interpreted narrowly to comply with what is “strictly necessary” to limit the range of activity for the cookie to strictly relate to the service requested by the user.

If cookies are placed before a user has an opportunity to give consent, then you are not compliant with the new cookie law! The Information Commissioners Office (ICO) will fine website owners up to £500,000 for any serious breaches in this law.  So be sure to make a distinction between ‘opt-in’ and ‘informed consent’ in your policy. 

Article by

Eleana Davidson Native Author

Eleana Davidson

Marketing Executive