News and Events

Time runs out for Cookies

  • Posted

Website owners will need to comply with the new law on cookie consent by 25th May 2012. By that date they will need to be able to demonstrate that they have audited the cookies used by their sites and implemented procedures preventing the “setting” of most cookies on users’ computers unless those users have given educated consent.

Recent research has indicated that very few computer users understand the nature and usage of cookies. Educated consent may therefore be difficult to obtain.

The Information Commissioner’s Office (ICO) has powers to fine companies up to £500,000 for breaches of the law but has indicated that such fines are only likely to be imposed for very serious breaches by larger organisations.

The new law was introduced by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

Website owners should, as a matter of urgency, be conducting an audit of their site to discover what cookies it uses and how they can be described for the purpose of obtaining educated consent. Many companies use websites developed and hosted for them by third parties. They should seek the help of those third parties in gathering this information. They may then need to make changes to their site so that e.g. cookies are not “set” until after the user has consented to their use.

Consent is not required for the use of cookies that are “strictly necessary” for the use of the site by the user. For example the cookie that remembers what is in the shopping basket so that you can “proceed to checkout”. Strictly necessary is, however, a very tight definition and the ICO says it wouldn’t include the very common cookie which allows the site to recognise a returning user. Few cookies will be strictly necessary.

A particular problem arises where third parties, perhaps advertisers, set cookies through another’s site. The advertiser is responsible for ensuring “educated consent” but has no control over the mechanisms used by the main site for educating users and obtaining consent. Contractual provisions will need to be used between the advertiser and the site owner to ensure compliance with the law.

The cookies about which the ICO is most likely to be concerned, and therefore take enforcement action, are those that gather information about the user over a long period of time so that they can be profiled. They are unlikely to be impressed with simple check boxes whereby the user signifies consent without having been required to read simple explanations of what it is they are consenting to. Cookie by cookie.

Larger site operators are beginning to be compliant. Viewing what they are doing to obtain consent will give a good idea of what will be required, even for the smallest websites.


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.