If your website uses cookies or similar technology you need to comply with the new cookies rules introduced last year by 26th May 2012. This means that you need to tell users what cookies your site uses, explain what those cookies do and, unless certain very narrow exceptions apply (read Can you rely on exceptions to the cookie regs? ), obtain consent for any that are stored on the users’ computer, mobile phone or other web-enabled device. Previous blogs have dealt with the rules and guidance issued by the ICO including the exemptions – see the links below if you would like to look at that information.
The ICO updated its guidance on the new rules and now includes more detail and suggestions as to how to comply. It also stresses that the previous law about supplying information to users about the cookies you use still applies in addition to the new requirements, although notes that it has not always been complied with by website owners.
The first steps recommended by the ICO are to:
- Check what type of cookies and similar technologies you use and how you use them.
- Assess how intrusive your use of cookies is.
- Where you need consent - decide what solution to obtain consent will be best in your interest.
The ICO goes on to suggest carrying out a cookies audit to cover the following points:
- Identify which cookies are operating on or through your website
- Confirm the purpose(s) of each of these cookies
- Confirm whether you link cookies to other information held about users - such as usernames
- Identify what data each cookie holds
- Confirm the type of cookie – session or persistent?
- If it is a persistent cookie how long is its lifespan?
- Is it a first or third party cookie? If it is a third party cookie, who is setting it?
- Double check that your privacy policy provides accurate and clear information about each cookie
The ICI guidance contains details of the different types of cookies and what they mean by first and third party cookies. If your site contains a link to another, the ICO takes the view that this does not mean that you have no role to play if that third party sets cookies when accessed via your site, but offers advice as to how this might be dealt with.
It is not a prudent option to do nothing before the twelve month grace period comes to an end on 26th May 2012. After that time, the ICO has made it clear that if they investigate your site and it is found not to be in compliance with the regulations, you should be able to demonstrate what steps you have taken to try and comply, what you propose to do to achieve compliance and your timescale for so doing. Any website owner who has done nothing will not get much sympathy – the ICO’s December 2011 report ended with the message that in such circumstances they might reasonably ask “if others can do it, why can’t you?”, so please contact me if you would like any assistance.
Sue Mann
Commercial Solicitor, Birmingham
Tel: 0121 246 4437
Previous blogs on this topic which you may wish to look at are:
New rules on the use of cookies
Time to comply with the new rules on the use of cookies
Website owners are warned by Information Commissioner about lack of progress in compliance
New guidance from the ICO about the cookies regulations
Can you rely on exceptions to the cookie regulations?
This blog is not intended to constitute legal advice, nor is it intended to be a complete and authoritative statement of the law, and what we say might be out of date by the time you read it. You should always seek legal advice to confirm whether or how any information in this article applies to your particular situation. We offer a free telephone consultation to discuss your particular circumstances.