May 10, 2012

Consent to Cookies

What are internet cookies?

A cookie is a small file of letters and numbers downloaded on to a device when a user accesses certain websites. Cookies allow a website to recognise a user’s device and some websites contain third party Cookies for example from their advertisers. Shopping basket systems, automatic log-ins and remember my details buttons all rely on cookies.  Cookies ability to store the browsing behaviour of users have made them attractive to advertisers and increased their use in the advertising world. Essentially a cookie sitting on your device will track the websites you have visited enabling advertisers to determine what advertisements you would find interesting.

Nearly every internet user will have hundreds of cookies and other forms of tracking on their computer and unless they are particularly internet savvy they will have no idea of this fact.  This has raised issues about privacy and prompted the changes in law.

New law on internet cookies?

The UK introduced amendments to the law on 26 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) (Regulations). The Information Commissioner effectively granted a 12 month grace period in which websites were told to become compliant. From 26 May 2012 every website operating in the UK is required to:

  • tell users that its website is using cookies,
  • provide its users with ‘clear and comprehensive information’ about any cookies it is using and
  • obtain the users consent to store a cookie on its device.


The consent required under the new laws must involve some form of communication where the user knowingly indicates their acceptance to the use of cookies. This may involve for example clicking an icon, sending an email or subscribing to a service. You can no longer therefore rely on providing an option for users to ‘opt out’ of cookies being used stored on their devices.

Exemption from the requirement to provide information and obtain consent.

There is a narrow exception to the requirement to provide users with information and obtain consent which applies in circumstances where using a cookie is ‘strictly necessary’ for the service requested by the user. This might apply, for example on a shopping website when a user has chosen goods and clicked the ‘add to basket’ or ‘proceed to checkout’ buttons and the cookie remembers what the user chose on a previous page.

What you should do

All website should be fully compliant with the new rules by 26 May 2012. If you have not started working on compliance it is important that you do so now. First steps to compliance should include:

  • Carrying out a ‘cookie audit’- checking what types of cookies and similar technologies you use and how you use them.
  • Assessing how intrusive your use of cookies is.
  • Where consent is needed- deciding how best to obtain consent in your circumstances.
  • Making any consequential changes to your website and terms of business.

Enforcement and penalties

The Information Commissioner’s Office is charged with ensuring compliance with the new rules. Where organisations fail to comply voluntarily there are a range of options available to the Information Commissioner including a monetary penalty of up to £500,000.

If you require advice on  how to make your website compliant  or any issues covered in this blog please contact John North, Head of Corporate and Commercial on 020 7583 2222 or [email protected] or Sonia Mohammed

Share on: