News  

Cookies – Essential information for any website owner or developer

31 January 2012

This is a brief introduction to cookies and your potential obligations as a website owner or developer. This summary is derived from the Information Commissioners Office (“ICO”) guidance on the rules on use of cookies and similar technologies.

What is a cookie?
A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device.
The use of cookies and similar technologies has for some time been commonplace and cookies in particular are important in the provision of many online services. Using such technologies is not prohibited but they do require that people are told about cookies and given the choice as to which of their online activities are monitored in this way.

  
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. Types of cookies are: 

  • Session cookies: allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies.
  • Persistent cookies: are stored on a user’s device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising. 
  • First and third party cookies: Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

The law
The law governing this area is the Privacy and Electronic Communications (EC Directive) Regulations 2011 as amended (the “Regulations”).
The law requires:
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Your obligations
Those setting cookies must:

  • tell people that the cookies are there, 
  • explain what the cookies are doing, and 
  • obtain their consent to store a cookie on their device.

First steps
It is important that you start work on complying with these rules now. First steps should be to:
• check what type of cookies and similar technologies you use and how you use them;
• assess how intrusive your use of cookies is; and
• where you need consent: decide what solution for obtaining consent will be best in your circumstances.
Obtaining consent
Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent. The more privacy intrusive your activity, the more you will need to do to get meaningful consent.

Conducting a cookies audit
An audit of cookies could involve the following steps and considerations: 

  • identify which cookies are operating on or through your website; 
  • confirm the purpose(s) of each of these cookies; 
  • confirm whether you link cookies to other information held about users e.g. usernames; 
  • identify what data each cookie holds;
  • confirm the type of cookie: session or persistent; 
  • if it is a persistent cookie how long is its lifespan?; 
  • is it a first or third party cookie? If it is a third party cookie who is setting it?; and 
  • double check that your privacy policy provides accurate and clear information about each cookie.

 

The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so. At present, levels of user understanding are likely to be low and so those using cookies will need to make a particular effort to explain the activities of cookies in a way that people will understand.

Long tables or detailed lists of all the cookies operating on a website may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.

Enforcement and penalties
The Information Commissioner’s (“IC”) aim is to ensure organisations comply with the law. In cases where organisations refuse or fail to comply voluntarily the IC has a range of options available to him to take formal action where this is necessary.
The main options are:

Information notice: this requires organisations to provide the Information Commissioner with specified information within a certain time period. 

  • Undertaking: this commits an organisation to a particular course of action in order to improve its compliance. 
  • Enforcement notice: this compels an organisation to take the action specified in the notice to bring about compliance with the Regulations. For example, a notice may be served to compel an organisation to start gaining consent for cookies. Failure to comply with an enforcement notice can be a criminal offence. 
  • Monetary penalty notice: a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met, if any person has seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

Can I ignore this?
This isn’t going away, it is the law. The Regulations come from a European Directive that was passed in 2009. The requirements will not be change and cannot be ignored. Many organisations are already making a lot of effort to comply. The IC has been clear that he will take a practical and proportionate approach to enforcing these rules where organisations are making the effort to comply.

Nobody complains about cookies – so why the fuss?
Consumer research indicates that at this point in time individuals generally have a low understanding of what cookies are, how they work and how to exercise choice over those cookies. You cannot rely on the fact that people don’t complain where levels of understanding of an activity are very low. One of the purposes of the Regulations is to increase individual’s awareness and understanding so they can decide whether they object to cookies or not. Those who use cookies have a part to play in educating consumers and making the case to individuals with concerns about why cookies you want to use are beneficial.

For further information or specific legal advice please contact:
Keith Dempster on 020 7539 7081 or email keith.dempster@kermanco.com; or
Carl Robinson on 0207 539 7089 or email carl.robinson@kermanco.com.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

Key People

Keith Dempster

Keith Dempster

Partner

Carl Robinson

Carl Robinson

Associate partner

© Kerman & Co LLP (London). Authorised and regulated by the Solicitors Regulation Authority (England & Wales) SRA No. 382661.

Kerman & Co (Dublin) Regulated by the Law Society of Ireland. All rights reserved 2012. 

Terms of Use    Acceptable use policy    Privacy Policy     Credits