If you have a business and you have a website, then the chances are that you are using cookies. Cookies are little files created on a computer when a browser accesses a website. Essentially, cookies allow websites to recognise users when they return to a site and utilise content and services.
Technically speaking, cookies can be used as a form of spyware, intruding on a user’s privacy. The reason for this is that cookies store information about users’ browsing preferences and their usage history.
This changed on 26 May 2011 with the coming into force of the snappily-titled EU Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
These rules require website operators to make sure that users have positively consented to the placing and accessing of cookies on their computer. Unhelpfully, the new regulations do not specify exactly how that consent should be obtained. The Information Commission’s Office (ICO) has provided guidance which suggests that users will need to be provided with a clear opportunity to give their consent prior to having cookies downloaded onto their computers (or mobile devices).
The European law on which this is based is similarly unclear, and there was a widespread view that browser settings could again be taken as consent for the purposes of the new rules. However, that is not the position taken by the ICO, and any UK business which operates anything more than a basic static website should take a more hands-on approach to this issue.
It’s not all doom and gloom. Once consent is obtained at the point at which a cookie is set for the first time, your website does not need to obtain consent again from the same person each time the website is visited.
The guidance does identify other means of consent – for example as part of login functionality (where the cookies are only used for registered users) or enabling pop-ups prior to a cookie being downloaded onto a user’s computer or mobile device. Compliance does seem to be a matter of common sense, based on the nature of the cookies used and the services provided over the website.
The new rules are effective now, so you should review your website for compliance without delay. The ICO is unlikely to take action against businesses that have taken steps to address the issue, even if compliance is not 100 per cent.