The Cookie Diet

Author: Eddie Powell, Alan Wetterhahn

If you have a business and you have a website, then the chances are that you are using cookies. Cookies are little files created on a computer when a browser accesses a website. Essentially, cookies allow websites to recognise users when they return to a site and utilise content and services.

Technically speaking, cookies can be used as a form of spyware, intruding on a user’s privacy. The reason for this is that cookies store information about users’ browsing preferences and their usage history.

Cookies have therefore been covered by data protection laws for a number of years. Essentially, these laws required that users were told about the cookies that were being used by a website and given the means to decline them. Effectively, this meant that a notice buried in a privacy policy and the settings on the user’s browser (which usually was set to permit cookies automatically) was the user’s exercise (or rather, non exercise) of his or her right to reject a cookie.

This changed on 26 May 2011 with the coming into force of the snappily-titled EU Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

These rules require website operators to make sure that users have positively consented to the placing and accessing of cookies on their computer. Unhelpfully, the new regulations do not specify exactly how that consent should be obtained. The Information Commission’s Office (ICO) has provided guidance which suggests that users will need to be provided with a clear opportunity to give their consent prior to having cookies downloaded onto their computers (or mobile devices).

The European law on which this is based is similarly unclear, and there was a widespread view that browser settings could again be taken as consent for the purposes of the new rules. However, that is not the position taken by the ICO, and any UK business which operates anything more than a basic static website should take a more hands-on approach to this issue.

It’s not all doom and gloom. Once consent is obtained at the point at which a cookie is set for the first time, your website does not need to obtain consent again from the same person each time the website is visited.

There is also an important exception to the consent rule, which provides that consent is not required when a cookie is “strictly necessary” to deliver a service which is being explicitly requested by a user (for example, the use of cookies in online shopping baskets). However, this is a narrow exemption, and the fact that a cookie is necessary for one function will not mean that cookies can be used throughout the website for other purposes without proper consent.

How can you comply? The ICO calls for a risk-based assessment, which sounds great but, as the ICO acknowledges, most commercial websites will include cookies which are used by the website owner for monitoring site visits, so clear user consent will be required. Best practice is undoubtedly a notice that appears on the home page asking each user to give a one-time consent to the use of cookies; this is the approach adopted by the ICO on its own webpage.

The guidance does identify other means of consent – for example as part of login functionality (where the cookies are only used for registered users) or enabling pop-ups prior to a cookie being downloaded onto a user’s computer or mobile device. Compliance does seem to be a matter of common sense, based on the nature of the cookies used and the services provided over the website.

The new rules are effective now, so you should review your website for compliance without delay. The ICO is unlikely to take action against businesses that have taken steps to address the issue, even if compliance is not 100 per cent.

For further information please contact Eddie Powell, Partner, on +44 (0)20 3036 7362 or or Alan Wetterhahn, Associate, on +44 (0)20 3036 7309 or

View by date:

View by author:

Would you like to hear more?