Cookies deadline approaching

Is your website UK-compliant with the Cookies Regulations?

UK organisations with websites have until May 25, 2012 to assess whether they are compliant with the regulatory requirements on use of cookies or other tracking technologies. Websites breaching the relevant rules and regulations risk fines of up to £500,000.

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 implement the cookies requirements set out in the European Union's Directive on ePrivacy (2002) and amend The Privacy and Electronic Communications (EC Directive) Regulations 2003. While the UK requirements and the provisions set out below are primarily for those entities continuing or targeting business in the European Union, they also give helpful guidance for website providers undertaking tracking or other information gathering techniques globally.

There is increasing scrutiny by regulators in countries across the globe, including the US as well as the UK, as to the transparency of company use of consumer (and other user) tracking technologies and the required consent to such tracking. Each organisation must adapt the new law to fit its own specific operations. Further, the rules and regulations of the jurisdictions in which a company operates and the territory in which its website is hosted, or to which it is targeted, may have specific requirements that need to be taken into account.

Key Requirements for UK Website Providers

Transparency

Website providers should give users clear and comprehensive information about the purposes of the storage of, or access to, information on a user's personal computer, laptop, tablet or mobile phone. To meet this requirement, consider providing:

  • a brief introduction about the nature of the information storage and collection techniques and any relevant devices that any monitoring may impact upon (e.g., personal computers, mobile phones etc.);
  • an overview of the information storage and collection techniques such as cookies, flash cookies, HTML5 and ETags. Provide information on whether such techniques are permanent or temporary;
  • reasons for using these technologies and whether the technique is strictly necessary, performance-related, functionality-related, or advertising-related. Include whether information is ever disclosed to third parties.
  • an explanation of what information is collected (e.g. device, browser type, operating system, hardware, mobile network information etc.)
  • information on third-party collection of information. Describe whether the website interacts with third-party information storage or collection techniques. Be transparent about how the website works with third-party providers to ensure that the user is provided with the necessary information and an opportunity to make their choice.
  • information on the user's right to refuse the use of information collection technologies. Describe how consent to the relevant information storage or gathering techniques is obtained and provide information on how consent can be withdrawn. Inform users if thet are able to amend browser settings to prevent cookies or similar technologies being used.

Consent

The user must provide their consent in respect of the storage of, or access to, information held. This is referred to as the consent requirement. A user can signify consent by amending or setting controls on the internet browser or by using another application or programme to signify consent. Website providers will need to consider the most appropriate method to obtain the user's consent. The nature of the consent required will vary depending upon the type of information collected, the amount of information collected and the sharing of that information with third parties. Website providers should consult with their legal advisors, as there is by no means a 'one size fits all' solution.

Further information

  • Want to know about what other businesses are saying? Join the cookies debate in the Federation of Small Businesses' discussion forum