Since 2009 there has been a Directive throughout the EU which, if your website uses “cookies”, requires you to inform those individuals using the website about the cookie.

So what is a cookie?  

In general terms, a cookie is a piece of software code downloaded from a website to a user’s computer when they visit that website.  It collects information about the individual using the website.  Most websites “set” cookies which perform useful services, including remembering our name and other details, so that when we revisit a website the experience is smoother and much more convenient.

Cookies can therefore be useful and, on the whole, we tend to accept them without much consideration when we are buying things online.  Some cookies help us deal with our settings for a website, for example if security is necessary to make an online credit card transaction.  There are others which we may not be aware of that gather information about our website activities and our browsing preferences. These cookies are often known as tracking or profiling cookies.

Under the Directive you are required to inform the individual not only what your website is doing with the information but also to obtain their consent to it before cookies can be set.

So why is it an issue now?

All EU Member States were supposed to have implemented laws to comply with the Directive by 26th May 2011.  The UK implemented the law but immediately declared a moratorium for 12 months during which time they expected businesses to comply.

Previously individuals needed to be alerted to cookies but had to opt-out. Whilst the new law is not completely an “opt-in” process, many are viewing it as such.  The Directive applies to a website which is selling goods or services to individuals in the UK (and the rest of the EU).  As almost every website uses cookies, and the moratorium has now expired, it is extremely important to ensure you are compliant – otherwise you risk investigation and a possible fine – the maximum being £500,000.

So what is required to become compliant?

The answer to this question has, for most of the last 12 months, been somewhat unclear.  The Information Commissioners Office (ICO) regulates the new law and has issued various guidance.

In the ICO’s latest guidance in May 2012, it specifically says that “While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant”.

The latest guidance may support the view taken by BT, who have a cookie notice which pops up on their homepage and informs the user that cookies are set to a default ‘on’ position.

It seems that whilst there must be some indication of acceptance, it does not necessarily need to be a ‘tick-the-box’ approach. The guidance indicates that the required affirmative action to get consent could be indicated by “visiting a website, moving from one page to another or clicking on a particular button”.

Crucially however, site users must have a “reasonable understanding” of what they are consenting to – so the emphasis is on clear information brought to the users’ attention and not hidden in a privacy policy or terms and conditions, etc. They also need to know how to get rid of cookies they don’t want.

So could the BT approach be enough?  The ICO’s May guidance says that implied consent may be appropriate in “some circumstances”. Whilst the ‘implied consent’ approach may be fine for less intrusive cookies like Google Analytics, the guidance warns that the more privacy invasive the cookies are (such as those used for profiling and tracking) “the more you will need to do to get meaningful consent”.

The May guidance also adds that “it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices”.

The ICO is not, however, going to take such a relaxed approach to website operators that have taken the ‘wait and see’ approach and done nothing to get their websites compliant. However formal enforcement action will most probably be reserved for more intrusive uses of cookies. According to the May guidance formal action might be considered “perhaps because an organisation refuses to take steps to comply or has been involved in a particularly privacy intrusive use of cookies without telling individuals or obtaining consent” and fines will likely only be on the agenda in cases of “the most serious breaches of the Regulations”.

Nevertheless, given the guidance does state that explicit consent will ensure compliance and implied consent will not be appropriate in all circumstances, it would be sensible to:

• assess what cookie technology is being used and for what purposes by your website or websites
• identify your cookies and what categories they may be placed in (see below)
• the categories of cookies recognised by the ICO are “strictly necessary cookies” (for which no consent is needed), “performance cookies” (for which consent is needed where these cookies perform analytics for example), “functionality cookies” (for which consent is needed where these cookies remember choices you make to improve your experience) and  “targeting cookies or advertising cookies” which carry out specific online behavioural analysis and web visiting profiles
• recognise that whilst no consent is needed for “strictly necessary cookies”, information is still needed to be given to individuals about such cookies
• recognise that, in relation to all other cookies, they should not be set on the users computer without them first having been given an informed opportunity to consent (but determine whether the BT or a similar approach is sufficient dependant on the type of cookie!)

Please contact us if you require further advice on how to comply.