More guidance on “Cookies”

The Information Commissioner’s Office has issued further guidance to help businesses become compliant with new rules about the use of cookies on their websites.

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 25th May last year and require website owners to get “explicit consent” from users before cookies are stored on their computers, in effect making thousands of websites illegal under European law. The ICO’s “grace period” for taking enforcement action expires on 26 May 2012.

Cookies are small files, which can be used to collect personal data, which are downloaded onto a user’s computer when he/she browses certain websites.

It appears from the guidance that the ICO will initially focus enforcement on sites with more “intrusive” cookies – where the cookie is used for marketing purposes by capturing and storing personal data.

Website owners should therefore:

  1. Audit the site’s cookies and remove any that are not strictly necessary;
  2. Tell the user what cookies are being used and make this explanation prominent to the user. The ICO guidance states that a mere link to a privacy policy will not be sufficient;
  3. Get consent. There is no defined right way to go about this but the guidance suggests that a “tick box” may be required for more intrusive cookies, whereas for less intrusive cookies it may be sufficient to provide prominent information about cookies on the site.

Doing nothing is not an option and businesses which fail to take adequate steps may face fines of up to £500,000 for non-compliance.

For further information please contact us at