Time to take the new rules on cookies seriously

Posted: 15/03/2012

Website owners are not doing enough to comply with the new rules on cookies, the Information Commissioner has said recently.

What are the new rules?

Regulation 6(1) and (2) of the Privacy and Electronic Communication (EC Directive) Regulations 2011 provide that the use of cookies is only allowed if the user concerned has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed and has given his or her consent.

The ICO guidance published in May 2011 was designed to make organisations consider what type of cookies their website has and for what purpose, how privacy-intrusive their use is and which solution for obtaining the user's consent would best suit them.

The ICO updated its guidance in December 2011. The main points to note from the updated guidance are:

• website owners are advised to carry out a cookie audit to confirm the types of cookies used;
• website owners must provide users with information as to the cookies operating on the website;
• the rules apply to analytical cookies as well as cookies used for other purposes;
• it is not enough simply to provide the information in a privacy policy. The information must be clearly highlighted and accessible;
• more information on the meaning of consent - this must involve some form of communication where the individual knowingly indicates their acceptance;
• practical ways website owners may obtain consent - the guidance considers ways to identify and position links to information on cookies and the use of pop-ups or website footers;
• the rules apply to cookies on mobile devices and other terminal equipment such as games consoles;
• users should be told how to withdraw consent to cookies and the implications of withdrawing consent. 

To read the ICO's guidance on the use of cookies and other similar technologies, click here.

Time to act now

In May 2011, when the regulations came into force, the Commissioner assured website owners that he would allow a 12 month lead-in period for organisations to develop ways of complying with the regulations. He was criticised for this but, argued that it would not be good regulation to enforce compliance when the tools for compliance were still being developed.

However, the Commissioner's disappointment in the level of engagement should be a warning for all website owners who felt that they could postpone their decision as to how to comply with the regulations until the end of the lead-in period. The Commissioner has made it clear that he will still investigate complaints relating to an individual site's use of cookies and will expect website owners to be able to demonstrate the steps they are taking to achieve compliance.

Return to news headlines