Cookie Law

May 31, 2011 by Irene Bodle 6 Comments

COOKIES AND CONSENT
Since the 26th of May 2011 it is unlawful in the UK to use cookies to collect user data without first obtaining consent. There is an exception when a cookie is strictly necessary for a service which a user has requested i.e. where a user places an item in an online shopping basket and there is the need to ensure that payment is for the goods actually purchased. The Information Commissioner’s Office says that the new law applies to “UK businesses and organisations operating websites in the UK”. Currently there is no such requirement to obtain consent in the US, but it is possible that the US may copy the EU and change their laws in the future as they tend to adopt EU data protection concepts over time.

Check Your Website
Website owners should audit their websites for compliance by checking what type of cookies are used and how. Consider whether or not the “necessary” exception applies. Also, do not forget that third parties placing content on your website i.e. advertisements may be setting cookies.

Assess how intrusive your use of cookies is and then decide which solution is most suitable for your business to obtain the required consent from users.

How to Obtain Consent
A few weeks ago the UK Information Commissioner published guidance on how to comply with the new laws.

It was suggested that consent could be obtained via:
•    pop-ups, or
•    your terms of use, which users agree to upon registering with your website, or
•    text in a header or footer on pages of the website, or
•    inclusion in preferences that users set when using a website.

Relying on browser settings is not acceptable, as currently there is no adequate technical solution for browsers that is acceptable. This position could change in the future.

Consequences of Non-Compliance
Until May 2012, the Information Commissioner’s Office (ICO) will not penalise an organisation for breaches of the new laws. However, organisations should be taking steps now to ensure compliance, as failure to take appropriate steps now will be taken into account when formal enforcement begins in May 2012.

Penalties for Breach
The ICO can impose a fine of up to £500,000 for a serious breach. A serious breach is defined as a serious contravention likely to cause substantial damage or distress. The breach must have been deliberate, or the person responsible must have known or ought to have known that a breach would occur and then failed to take reasonable steps to prevent it.

The ICO plans to provide further details on this in October 2011.

——————————————————————————–

Learn more about Irene Bodle

About Irene Bodle

Irene founded Bodle Law in 2010 after working for 8 years as corporate counsel for a global software company. Irene offers specialist legal advice on IT law in particular, Internet law, website law, cloud issues, international software contracts and SaaS agreements. Learn more about Irene Bodle
Read Irene's latest articles
Have a question? Contact Irene here

Comments

Anupam says
May 31, 2011 at 5:57 am

I think it will be new concept of change the game of web analyst because cookies is playing major role to track the data and analyze the visitors behavior. thanks for the great info

Reply
- admin says
  June 1, 2011 at 3:14 am
  
  Thanks for the comment Anupam, it will be interesting to see how this develops during the year and the impact it has on analytics.
  
  Reply
Gabriella - The Stepford Wife says
June 1, 2011 at 1:24 am

This was an interesting piece to read because recently we ran a piece on our blog about using internet cookies – it’s good to read the laws aand such behind it.

Reply
- admin says
  June 1, 2011 at 6:53 am
  
  Glad it was of interest Gabriella.
  
  We wanted to talk about this new law and writing about legislation is a balance between getting the facts right and avoiding jargon, so we were delighted when Irene joined as a featured WAW blogger! Saw the Cookie Crunch post you mentioned and it will be good to read Investigatrix’s review on how it performs. I can understand why users will want to be more proactive regarding cookies and I am curious to see how the user’s online experience will be affected as websites comply and try to obtain the required consent.
  
  Reply
WB says
July 15, 2011 at 7:25 pm

Bit more about EU Cookie Law over here http://www.cookielaw.org – If GA didn’t exist we’d all use Logs, so there is a chance GA will have a work around… you’d think so!

Reply
Mark Steven says
December 8, 2011 at 6:41 am

You may be interested to know that a compliance solution is now freely available from http://www.civicuk.com/cookie-law.

The free widget, known as “Cookie Control”, will be adopted by Public Sector websites in Scotland in the run up to the May 2012 compliance deadline.

In itself, the solution doesn’t guarantee compliance for your website (you still need to do a cookie audit and publish the results in your Privacy Policy), but it gets you a long way there by making it explicit to users that cookies are at work on your site.

Webmasters can configure their own Cookie Control widget here: http://www.civicuk.com/cookie-law

Reply

About Irene Bodle

Comments

Leave a Reply Cancel reply