Data Protection

The rules on using cookies and similar technologies to store information on a user’s equipment changed on 26 May 2011.

Why has this happened?

The rule change is the result of implementation of an EU Directive. The new rules are contained in Regulation 6 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

What do the Regulations cover?

The Regulations cover the use of cookies - small files downloaded onto a device when the user accesses certain websites, allowing the website to recognise the user's device. They also apply to similar technologies for storing information - including locally stored objects (flash cookies).

What has changed?

Prior to 26 May 2011, if you used cookies to store information, you had to provide clear and comprehensive information to users about your use of cookies and give users the right to opt-out. Many websites complied with this rule by including information about cookies in a privacy policy.

From 26 May 2011, cookies can only be placed on a user's equipment if the user has given their consent. The requirement to provide clear and comprehensive information remains in place.

Does the new rule apply to all cookies?

Yes - except for one limited exception. Consent does not need to be given where the cookie is "strictly necessary" for a service requested by the user. This is a very narrow exception. For example, it could apply to a cookie used to ensure that where a user clicks "proceed to checkout" when purchasing online, the site remembers the items chosen on a previous page.

This exception is very narrow. The EU Directive on which it is based refers to a service "explicitly requested" by the user and the Information Commissioner, who will enforce these Regulations, will bear this in mind in deciding whether or not the Regulations have been complied with.

Also, the requirement to provide information about a cookie and obtain consent is only required the first time it is set for a particular user. You do not have to do this again for the same person provided that it is the same cookie and is used for the same purpose.

What do you have to do and when?

The government believes there should be a phased approach to implementing these Regulations. However, this does not mean that you should do nothing. The Information Commissioner's Office has issued initial guidance on the new Regulations which are a starting point rather than a definitive guide. The guidance contains practical steps for you to take now.

Remember that the Information Commissioner's Office has made it clear that they are primarily interested in the information gathered through the use of cookies and what organisations do with that information, rather that the cookies themselves.

How do we obtain consent?

What next?

More guidance will be issued by the Information Commissioner over time. In particular, guidance on enforcement is expected to be published. Keep an eye on the Information Commissioner's website for this guidance.

The Information Commissioner will also provide guidance giving examples of methods for obtaining consent and is keen to receive examples from industry. Given the difficulties in obtaining consent, he has stated that he is unlikely to take enforcement action in the first 12 months provided that organisations have taken the steps set out in the guidance. Therefore the current guidance should be followed in order to demonstrate, if any complaint is made, that you have done all you can to comply with the new rules.

Where can I find more information?

The Information Commissioner's website should be checked regularly for updated guidance

The Initial Guidance from the Information Commissioner

All about Cookies - a website for consumers and marketers which explains the issues surrounding the use of cookies.

For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.

Other Recent Articles