Cookie Compliance update

 In Comment

Disclaimer: LawSkills provides training for the legal industry and does not provide legal advice to members of the public. For help or guidance please seek the services of a qualified practitioner.

Cookie Compliance Update

If you have visited any UK based website in the last few months you have probably been faced with a prompt letting you know it uses Cookies and asking if that is ok with you.  If you have a website that uses Cookies you need to consider if you are having that conversation with your visitors?

  • Are they made obviously aware when cookies are being used and what they are used for?
  • Are they clearly consenting to their use?
  • If not you may be in breach of the act and subject to prosecution.

What’s changed?

This is because in May 2012 the UK, through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, began to enforce the regulations  which changed Article 5(3) of the E-Privacy Directive.  The changes require consent for storage or access to information which is stored on a subscriber or users terminal equipment – in layman terms  “cookies”.

Free LawSkills Newsletter

If you like our articles, why not subscribe to our free monthly newsletter with regular Private Client news, views and advice from leading legal minds. It's quick, easy and you can unsubscribe at any time if you no longer want to receive it.

Sign Up Now

This regulation basically requires consent from the user for the use of cookies and defines ‘the data subject’s consent’ as:

‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

Is implied consent acceptable?

Interestingly the Information Commissioner’s Office (ICO) in the UK has through its guidance inferred that Implied Consent may be acceptable in some cases. This is usually where it is clearly made known to the user that by taking a particular action data will be stored on their equipment (be that PC or mobile phone) and the user does then continue to take that action.

It is important to note that the ICO guidance does make the point that all consent has to be clearly informed. It is not good enough to assume that a user will know that by, say, adding an item to a shopping basket that it will create a cookie.

The ICO guidance gives a good analogy:

“if a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions”

What constitutes implied consent?

The ICO guidelines have recently been updated to clarify the rules on implied consent.

  • Implied consent can be used in the context of compliance with the revised rules on cookies.
  • But if relying on implied consent you have to be able to be satisfied that you have informed consent. That is that your users and visitors understand that their actions will result in cookies being placed on the PC they are using.
  • You may not rely on a user/visitor having read a privacy policy. This is particularly true where privacy policies are not easily understood or located.
  • Where collecting data which is more sensitive, and in particular personal data as covered by the Data Protection Act, it is likely that gaining explicit consent is more appropriate.

Is any use exempt?

In June 2012 the European data protection working party issued an opinion that some cookie uses might be exempt from needing consent. Quoting from the ICO guidance:

  • Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.
  • Analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised

Practical application

Most website owners seem to have taken the view that it is better being safe than sorry and have added a panel to their site that appears on first use by a user informing them of the use of Cookies on the site and that by continuing to use the site they are consenting to the use of those cookies. Most sites also make the user take some action to dismiss this panel and thus can show that the user must have seen it.

Whilst it is important to comply with this regulation and gain informed consent there has been a certain level of annoyance amongst users about being repeatedly prompted about cookie use. Perhaps once consent has been obtained a good use of a cookie would be to store that fact and not prompt the user again?

Free LawSkills Newsletter

If you like our articles, why not subscribe to our free monthly newsletter with regular Private Client news, views and advice from leading legal minds. It's quick, easy and you can unsubscribe at any time if you no longer want to receive it.

Sign Up Now
Recent Posts
Gill Steel Blog pref