‹ Blog / FL1

New UK law on use of website Cookies deferred for one year

Jun 2nd 2011

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner's Office has said. The regulations were commonly complied with by the inclusion of relevant wording in a website’s Privacy Policy, however this is no longer to be the case. So, how might these changes in the law affect your website?

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said. This was referred to in a recent article on the BBC’s website.


The regulations regarding Cookies changed with effect from the 26th May 2011.

The regulations apply to storage or gaining access to information stored, in the device of a subscriber or user. This means the use of cookies and similar technologies for storing information. The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as “Flash Cookies”).

Until recently the regulations simply imposed an obligation on websites to;
• Tell users how websites were to use cookies and,
• Advise users how they could “opt-out if they objected.
The regulations were commonly complied with by the inclusion of relevant wording in a website’s Privacy Policy.

The main change relating to cookies is that websites may not place cookies on a visitor’s machine without first having received express consent. This is a move from an “opt out” culture to an “opt-in” one.

Websites are still required to provide clear and comprehensive information about the purposes, storage and access to that information.

There are some very limited exceptions to the express consent rule where, for example, a cookie is used to verify the purchase of goods e.g. when a user clicks “add to basket” or “proceed to checkout”.

Given that these regulations are very “fresh”, and given the government’s views on implementation there is no definitive answer as to how “consent” should be obtained. There is one argument that says a website can rely on the user’s browser settings At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow a website to set a cookie. Also, not everyone who visits a site will do so using a browser. They may, for example, have used an application on their mobile device.

One solution proposed is to use a “pop-up”. This might initially seem an easy option to achieve compliance – you are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent – but it’s also one which might well spoil the experience of using a website if you use several cookies.

Probably the best and most “risk free” solution is to revise terms and conditions for a website. There are already lots of examples of gaining consent online using the terms of use or terms and conditions to which the user agrees when they first register or sign up.

However, it is important to note that changing the terms of use alone to include consent for cookies would not be good enough even if the user had previously consented to the overarching terms. To satisfy the new rules on cookies, websites have to make users aware of the changes and specifically that the changes refer to their use of cookies. It would then be necessary to gain a positive indication that users understand and agree to the changes, e.g. a ticked “understanding and consent” box.

There is no “catch all” solution so each website will need to consider its use of cookies, the type of cookies and the best way to comply with the regulations without minimizing the impact of their website

The relatively good news is the government’s view that there should be a phased approach to the implementation of these changes. In light of this the Information Commissioners Office have stated that were they to receive a complaint about a website, they would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. They have also stated that they would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.

The key point is that you cannot ignore these rules.

Please remember that the above comprises only a brief précis of the nature and impact of the latest regulations and is by no means a full and comprehensive summary.

Source: Brian Scott at Max Montague Limited