New Cookies Guidance published by UK Information Commissioner

Cookies Guidance: The UK Information Commissioner (ICO) has published updated guidance on the use of website cookies following a change in the law earlier this year.

But, whilst the new cookies guidance takes a pragmatic approach to continued issues around the use of cookies, the Commissioner is also critical of web site owners for so far failing to comply with the new rules...

The new cookies guidance is supporting key compliance mechanisms, such as: implied consent; enhanced notice and transparency; the contractual approach; and the intrusiveness approach. If the ICO adheres to this approach, then a good balance will be struck between the interests of all the key stakeholders.

In his press release, Information Commissioner, Christopher Graham, said:

'The cookies guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules.

But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.'

Legal framework

The UK government revised The Privacy and Electronic Communications Regulations 2003, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make it clear that UK businesses and organisations running websites in the UK need to get consent from website visitors in order to store cookies on users’ computers.

About cookies

A cookie is a small file that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of businesses and organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering a user’s payment details when buying products online.

Key points in the cookies guidance

Key points set out in the amended cookies advice include:

  • More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
  • The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
  • However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
  • Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
  • The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.