Add to PDF BrochureView PDF BrochureBookmark PagePrint PageA A A

Company Commercial Notepad - February 2012


1. Cookies: Is Your Website Compliant?

In June 1994, the first ‘persistent client state object' - a bland and opaque choice of words which would have made many a lawyer proud - quietly came into being.  It had been lovingly crafted by Lou Montulli, a talented programmer for what was to become Netscape Communications.  Later, he wisely started to use the snappier term ‘cookie' to describe his game-changing invention.

Prior to 1994, every visit to a website was like the first - with no automatic way to record that a visitor had dropped by before.  After that date, the use of cookies meant that websites no longer had amnesia.  A website, by placing a small packet of data on your computer, could begin to recognise you and track your surfing habits.  Clicking on the cold and flu page on a healthcare site?  Be prepared to have an undisclosed cookie added to your machine and to find yourself being targeted by advertisers selling all manner of exotic remedies. In essence, giving the web a cookie-related memory has cost its users a degree of their privacy.

So whilst the childlike word, cookie, may conjure up sweet thoughts of soft, gooey biscuit, the European Commission is not quite so smitten. The Commission in 2009 revised the ‘E-Privacy Directive' (2002/58/EC) which has brought in a much tougher regime on the use of (non-biscuit based) cookies.  Whilst businesses have been using them pretty much unhindered for some 18 years now; from 26 May 2012 the UK's enforcement agency, the Information Commissioner's Office ("ICO"), is likely to ‘throw its weight around' a bit more.  Enforcement for non-compliance with the new cookies law will undoubtedly increase.  Your business and your website may be at risk.

Effectively, the new regime is that the use of cookies is only allowed if the user concerned:

  • has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
  • has given his or her consent (there are a small number of limited exceptions to this rule).

To comply with this law, many businesses are following recent ICO guidance.  You should therefore consider the following steps:

  • check what type of cookies and similar technologies you are using and how you use them. This might be by way of a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why. You should analyse which cookies are strictly necessary and which might not need consent. This could be a good opportunity for you to clean up your web pages and stop using any cookies that are unnecessary, or which have been superseded as your websites have evolved.
  • assess how intrusive your use of cookies is. The ICO explains that the new rules are intended to increase the protection of internet users' privacy.  Therefore, you are likely to need to give greater priority to obtaining meaningful consent for your more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity.
  • decide on the best solution for you to obtain consent from the users of your website. Possible solutions include the use of terms and conditions, pop-ups and similar techniques, settings-led consent, and website headers or footers.

We will, of course, keep and eye on developments and update this Focus if necessary. The key date, however, is 26 May 2012 by which time your website needs to be compliant.

If you have queries in the meantime, please do not hesitate to contact a member of the Laytons team.

For PDF version of this notepad please click here.