By 26 May 2012, all UK organisations that operate a website will need to obtain consent from visitors to its website in order to continue using cookies. The EU rules on the use of internet cookies changed following amendments made to the E-Privacy Directive. Those changes were implemented in the UK last year following amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Cookies (put simply, small packets of data stored on a user’s computer when the user accesses and browses a website) are used by most websites for a range of purposes, including to analyse the behaviour of website visitors (to monitor traffic and to report popular pages), to recognise users who return to the website (to personalise pages), to track a user’s interests and deliver targeted advertising to that user, and to allow users to access secure areas of a website.
Cookies which allow users to access secure areas of websites (so-called “strictly necessary” cookies) will be exempt from the requirement to obtain consent.
Steps to take
In line with the ICO guidance, we would recommend that organisations conduct an audit of their websites and in particular:
- check which cookies are being used and how
- assess how intrusive the use is and prioritise compliance efforts (starting with the most intrusive use)
- decide which solution for providing clear and comprehensive information and obtaining consent works best in the circumstances
- involve in the audit process the IT department, web host and designer, and any third parties who provide content or services for the website
- if in doubt about whether you will comply, seek legal advice.
Time is short. Organisations that have not yet done so will need to move quickly to ensure that they comply with the legislation before 26 May 2012. The ICO has the power to issue fines of up to £500,000 for organisations that fail to comply.
The Government Digital Service guidance for public
sector bodies is available here (although it has not been
endorsed by the ICO)