By Lyndsay Gough, Keystone Law

That’s the way the cookie crumbles

Recent changes in the law relating to internet cookies mean that all businesses will need to review their websites, according to e-commerce specialist Lyndsay Gough.

What are cookies?

The law relating to cookies has changed, with implications for all businesses which have websites. In this context a ‘cookie' is not the edible kind, but a key element in recording viewing habits when a visitor moves around a particular website.

When you browse a website for the first time, that website will send one or more cookies to your computer. A cookie is a small text file that can be used to assign a unique reference number to your device so that when you return to the site on a different day using the same computer, the site reads your cookie and recognises you. Cookies are used, for example, to see how many people look at particular websites, remember users' selections and preferences, save information already entered and manage which adverts are seen.

It is possible to set a browser to block all cookies, but some websites may then become difficult or impossible to access.

How has the law changed?

The law on cookies is set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003. These regulations were amended on 26 May 2011, implementing changes to the law on the use of cookies which are designed to protect consumer privacy.

Previously, under the old law, it was necessary to tell people if you used cookies to store information about their website use and give them the opportunity to opt out of the use of cookies.

Now, under the new law, you still have to notify people if you use cookies. The important difference is that website visitors now have to opt in to the use of cookies.
Are there any exceptions?

The new rule requiring explicit consent applies to all cookies, except for one limited exception. Consent does not need to be given where the cookie is ‘strictly necessary' for a service required by a user.

This exception would cover, for example, where a visitor to a website is using an online shopping basket. In order to ‘proceed to checkout' to complete a purchase, it will be necessary for cookies to remember items the user chose on previous web pages so as to complete the transaction.

Early indications are that this exception will be interpreted very narrowly. It is unlikely to cover circumstances where cookies are used to serve advertising, perhaps by remembering users' preferences or for collecting statistical information about the use of a website.

What shall I do now?

The Information Commissioner's Office (ICO) was rather slow off the mark and only issued initial guidance notes a couple of weeks before the law on cookies was changed. More information is promised in due course as to how the new law should be interpreted and adopted and, in particular, how explicit user consent to the use of cookies should be obtained.

The initial guidance notes, however, suggest that if you are a business using a website you should start by carrying out an appropriate audit:

- Firstly, you should check what types of cookies you use and how you use them (Your website designer should be able to assist you with the relevant information);

- Secondly, you should assess how intrusive your use of cookies is; and

- Thirdly, you should decide the best way of obtaining consent to the use of cookies for your circumstances.

Obtaining consent to the use of cookies?

Before the law relating to cookies changed, many businesses addressed the issue of cookies in a privacy policy, explaining what cookies were and how a website visitor could opt out of their use. It has become fairly standard to deliver cookies without prior consent, provided that the use of cookies and how to control or disable them is fully explained, usually in a privacy policy. In reality, however, few websites operate properly without using cookies.

As the new law requires a website visitor to opt in to the use of cookies, obtaining informed consent is more of an issue. Further guidance is awaited from the ICO as to how consent should be gained. As with all developments to the internet, it is likely that a standard cookie consent culture will develop over time. In the meantime, the government is working with the major browser manufacturers to determine the best practical solutions for obtaining consent to cookies in the future.

The ICO itself has adopted a banner-based approach to cookies on its own website, which requires the visitor to click acceptance to the use of specified cookies. There is a link to a separate privacy policy, which sets out the types of cookies the ICO uses and why.

Whether this format is adopted as the norm for obtaining consent remains to be seen. Perhaps ‘pop ups' or consumer-selected browser settings will take over instead. Watch this space!

Do I need to do anything now?

The government has indicated that there should be a phased approach to implementing the regulations. The ICO has indicated that it will allow organisations up to 12 months to put their cookie consent affairs in order. After this period those using cookies without asking first could be fined up to £500,000.

This 12-month grace period does not mean, however, that businesses should simply ignore matters now. The ICO has said: ‘This does not let everyone off the hook. Those that choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules'. Complaints received by the ICO in the meantime are likely to lead to warning notices being issued against offending website owners.

How can Keystone Law assist you?

The new law on cookies provides an opportune time for many businesses to carry out a complete review and overhaul of their online terms and conditions, to ensure compliance with the multitude of laws, including the new law on cookies, which govern internet trading.

In December 2010 the Office of Fair Trading (OFT) published its strategy to protect consumers shopping online in the UK, with a focus on more effective enforcement, improving compliance by businesses and empowering customers through education. The OFT found that only about one in five businesses was complying fully with consumer law governing online shopping and it indicated that there would be stricter enforcement, with increased cooperation between the OFT, police and Trading Standards. It really is quite important to put online compliance issues in order, as the legal net is certainly tightening.

If you would like a review of your website terms and conditions to ensure legal compliance, contact Lyndsay Gough, a commercial solicitor specialising in internet and ecommerce law, via lyndsay.gough@keystonelaw.co.uk or on 020 7378 0372.

This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article (Originally published July 2011).