The 12 month lead-in is now over and all businesses having a website (and who doesn't!) must implement the Privacy and Electronic Communications (EC Directive) Regulations 2003. The title is itself extensive so, for the ease of reference, let's call them the "Cookie Regulations". The Cookie Regulations became fully implemented on 26th May 2012 and you ignore them at your peril.
For those who may not be aware, Cookies are files that web designers use that are downloaded to a user's computer when that user accesses a website. They are not programmes but only files that contain information. So how do they work? –this is quite simple – on the first visit a cookie will be downloaded onto the visitor's PC. The next time the visitor lands on the website, the website will look and check to see if the visitor already has the cookie and if they have, then the website knows that the visitor has been on the site before. By using the information that is in the file, the website can present "information" that may be relevant to the visitor that has been stored in the cookie on recent visits. Cookies often store information on the contents of a Shopping Basket on previous visits to a website; the site can then offer similar goods that might "tempt" the visitor. (This is how sites know never to offer me golf equipment!!).
In summary, Cookies can quite easily store detailed personal data about a site visitor. The advantage of them is that they can make visits to a site easier and interaction smoother. From a site visitor's perspective, are they a good thing? It depends upon your point of view; do you want other people to know personal information about you?
So how does the Law control the collection and use of the data via Cookies? Previous to 26th May the "opt-out basis" was in force. This meant that the website had to give a site visitor the choice of whether to prevent the use of cookies. If there was no active refusal then the website could assume consent. The main change brought in by the Cookie Regulations is the reversal – so if there is no active consent then Cookies cannot be used and that consent must be informed consent.
What does the Cookie Regulations mean when it refers to "informed consent"? This means that the website operator must explain the nature of the Cookies, what they are used for and provide the site visitor the chance to consent – if there is no active consent then refusal has to be assumed.
There is an exception to the new general rule and this relates to cookies that are "strictly necessary" for the website to provide services and those services are "explicitly requested" by the visitor to the site. For example, I go onto a well known website to order a book and I request to purchase it, then the use of a cookie embedded on my computer to remember what I have placed in the shopping basket falls within the exception. You need to be aware, however, that the Information Commissioner (who polices data privacy in the UK) has stated that this exception will be interpreted narrowly. To view the Information Commissioners web page on Cookies then go to ICO on Cookies.
I attach two links to sites which, in my view, show the best implementation of the new law on Cookies of the sites that I have visited recently. These are Channel4 and Companies House.
What to do next?
| Action | Result | Further Action |
| Review your Privacy Policy on your website | My Privacy Policy does specifically comply with the new law on Cookies | None required |
| My Privacy Policy does mention cookies but I am not sure if it is compliant with the new law on Cookies | Contact Martin Hall for details of the free Cookie Health check | |
| I do have a Privacy Policy but it does not mention Cookies | Definitely Contact Martin Hall immediately for details of the free Cookie Health check | |
| I do not have a Privacy policy | You need to take immediate action by contacting Martin Hall for details of how he can assist. |
For further information, please contact Martin Hall at Cleggs Solicitors
