That's the way the "Cookie(s)" crumble(s)

The law on the use of cookies on computers and mobile devices is changing on 26 May 2011 as a result of a change in the EU Directive, which English law is based on.

A cookie is a small file of letters and numbers which are downloaded onto a device when the user accesses certain websites. Put simply cookies allow a website to recognise a user’s device.

The previous rule in the Privacy and Electronic Communications Regulations 2003 (“Regulations”) was that users had to be:-
• told how cookies would be used; and
• given the opportunity to “opt out” if they objected to the use of cookies.

The new Regulations require “opt in” consent from users before cookies are placed on their machines. There is a very limited exception to the new rule if the cookie is “strictly necessary” for this service requested by the user. This would not extend to e.g. use of a cookie just because it would make the website more attractive to users.

The Information Commissioner (“ICO”) has rushed out preliminary information for organisations which is stated to be a “starting point” rather than a definitive guide. The ICO has said that the new rules cannot be ignored and it will issue separate guidance on how it intends to enforce the changed Regulations.

That said, there are important steps that you need to take now as follows:-
• check what types of cookies you use and how you use them;
• assess how intrusive your use of cookies is;
• decide how best to get consent to use of the cookies.

The ICO’s view is that relying on browser settings is not an answer at present because not all of your visitors will have the most up to date browser installed with the enhanced privacy settings that the new rules require. This being the case, organisations will have to look at other methods to get consent.

The ICO’s view is that provided you get consent before a cookie is first set you do not have to get it again for the same person each time you use the same cookie.

The ICO has suggested the following as possible methods of obtaining consent:-
• The use of “pop ups” – whereby the user is asked to click “yes” that they agree to the use of “cookies”. The ICO comments that this could be a rather “clunky” way of getting consent as overuse of pop ups can spoil the user’s experience of a website.
• Terms and Conditions – you would have to update your on line terms and conditions to reflect the new rules. You then need to get consent from your users to the updated terms e.g. by use of a tick box.
• Settings Led Consent and Features Led Consent - are both options whereby a user is made aware that by choosing a particular setting or feature they will need to install cookies. The ICO has said that the more complex or intrusive the use of the activity the more information that you will need to provide. The key is that users must be able to make an informed decision.

Third Party Cookies
If your website allows third parties to set cookies on a user’s device there are even tougher challenges surrounding getting informed consent from users as to which third parties are collecting information and what information. In this area the ICO is working with industry and other European authorities to try and develop practical answers.

Further Guidance
The ICO has said that it will issue further, more detailed advice if appropriate in the future but this is unlikely to involve a prescriptive list of how to comply with the new rules. They have said that what is clear is that the more directly the use of a cookie relates to the user’s personal information the more carefully you need to think about how to get consent.

This is clearly a complex area without definitive answers to some of the more complex issues, e.g. third party cookies and their use. The ICO has made clear that doing nothing is not an option and it will be issuing further guidance on how they intend to enforce the new Regulations in due course.

Posted by Karen Harrison, a Director, and Matthew Read, a Solicitor, in the Nelsons Commerce and Technology group. To find out more about our Commerce & Technology group, click here.