Articles | That’s the way the cookies crumble...

Websites and the use of cookies.



1 London Street,

+44 (0)118 951 6200


Cathrine Ripley

Cathrine Ripley

Without realising it, most businesses across the country will have been affected by the legislation introduced on 26 May 2011 which regulates the use of cookies (or any other similar technology that stores information).

So what do the new rules say?

In essence, the new legislation prohibits the provider of a website from placing cookies on a user’s computer without first obtaining the user’s consent.  Previously, it was sufficient that a website offered users the opportunity to refuse or object to the deployment of cookies.  This is more commonly known as an “opt-out” scheme and does not require active consent.  By contrast, users must now “opt-in” before a cookie can be placed on their machine. 

The only exception to this rule is if the placement of the cookie is “strictly necessary” for a service requested by the user.  Unfortunately, this exception is likely to be narrowly interpreted and will be limited to a small range of activities.  The exception would not apply, for example, if the cookie is used to collect statistical information about the use of your website or because the placement of such cookies makes your website more attractive.

How to comply with the new rules

The Information Commissioner's Office (ICO) has issued some guidance on the new rules:

  • Check what type of cookies and similar technologies are being used and how they are used.
  • Assess how intrusive the use of cookies are.
  • Decide on the best solution for obtaining consent.

The ICO suggests that a useful idea would be to think of this in terms of a sliding scale, with intrusive cookies at one end and privacy neutral cookies at the other.  Efforts to achieve compliance should be prioritised for the more intrusive cookies, such as those that involve creating detailed profiles of an individual's browsing activity.

Third parties

The ICO guidance also specifically mentions the role of third parties.  Firstly, where information collected about website use is passed to a third party then this needs to be made absolutely clear to users.

Additionally, the ICO suggests that it is not just the website provider who needs to take note of the new rules.  If your own content, software or other application (which uses cookies) is being used on another website, you may also be required to ensure that users of the other website are aware of any information being collected.  In addition, such third party website must allow visitors to make informed choices about what is stored on their device.

Timescales and enforcement

The ICO may enforce the new rules in a number of ways including imposing significant fines for serious breaches.  However, in recognition of the potential inconvenience that will be caused to both users and website providers, the ICO has stated that enforcement action will not be taken until May 2012.  However, organisations must still take adequate steps to ensure compliance by May 2012 and the ICO may issue a warning to any website provider that it feels is failing to do so.

It is vital that steps are taken as soon as possible to ensure compliance by May 2012.  Should you require any further information regarding these new rules then please do not hesitate to contact Cathrine Ripley who would be glad to assist.