The new cookies law – digesting the facts


Author: Alan Wetterhahn


The law which applies to cookies changed almost a year ago, on 26 May 2011. Website operators were given a one year grace period within which to implement the changes required by the new regulations. However, time is almost running out. This period is due to expire shortly, on 26 May 2012.

You may be asking what all the fuss is about. Yet, if your business has a website, it almost certainly contains cookies and all cookies fall under the remit of this law. Cookies are small text files which embed themselves onto the hardware of a visitor to a site. Some are seen as harmless, and they collect data for the purposes of counting the number of unique visitors to a site or perform other analysis; however, others can be used to build up a profile about specific users, recording their habits and preferences often without their knowledge.

It is the fear that users are being unwittingly tracked over the internet without their knowledge, and also concerns relating to the use of spyware, which has prompted the European Commission to clamp down on the use of cookies. However, the latest change in law applies to all cookies regardless of their purpose.

Website operators must now ensure that any visitors to their website actively consent to the use of cookies. Formerly, websites relied on an opt out procedure buried deep within their site’s privacy policy. The ICO (the UK’s Information Commissioner) has confirmed that this is no longer sufficient, nor is it adequate to assume that users have given implied consent.

So, what must you do to comply? The ICO recommends that website operators carry out a "cookie audit" to identify what cookies their website contains. Once these have been identified, the website operator will need to take a risk based approach to decide what is the best solution for their website. The ICO recommends a range of options that could be used to make a website compliant, including the use of prominent headers and footers containing links to a cookies policy, pop up windows, the use of different font types and changes to the website’s login conditions.

It should be noted that consent needs to be obtained only once and consent is not required where the use of the cookie is essential to the service being provided to the user, such as through the use of an online shopping basket.

The consequences of a breach of the rules could be severe. The ICO can request undertakings, serve enforcement notices and impose monetary fines of up to £500,000 on businesses. The ICO has stated in its guidance that if operators can be seen to be addressing the issue the ICO is unlikely to take any action.

For further information please contact Alan Wetterhahn, Associate,
Fladgate LLP (
awetterhahn@fladgate.com)

View by author:


Would you like to hear more?