• Home
• Services

  Agriculture and Rural

  Brachers Mentor

  Charities

  Clinical Negligence

  Corporate and Commercial

  Commercial Property

  Construction

  Court of Protection

  Debt Recovery

  Dispute Resolution

  Employment & HR

  Environmental

  Family

  Healthcare

  Health & Safety

  Industrial & Occupational Disease

  Insolvency

  Licensing

  Personal Injury

  Planning

  Powers of Attorney

  Probate

  Residential Property

  Support for the Elderly & Vulnerable

  Wills, Trusts and Tax Planning

• About Us
• Our People
• Social Responsibility
• Sectors
• Intelligence
• Join Us
• Contact Us

• ← Back

Do your cookies comply? An update for websites

Posted by Paul Dungate on 5th October 2011

There have recently been changes to the UK Data Privacy framework with some new regulations (following EU Directives) that include new rules on “cookies” and other matters. Various measures have been implemented in the Privacy and Electronic Communications Regulations.

Cookies are important in the operation of many websites. When browsing, a small computer file is downloaded to the computer users’ internet browser enabling the website to recognise that user in future visits. They can be utilised for various functions including the tracking of the users’ online use, thus potentially infringing the user’s privacy. The previous position had been for internet service providers to inform how cookies were used and to give users an option to opt out if they wanted.

Now, however, it is now not permitted for a person to store information or obtain access to information that is stored on someone’s computer without that user’s express consent. To obtain a valid consent, the user has to have been provided with clear and comprehensive information about the reasons and purposes behind it; and has to have acted positively in accepting the cookies (with the chance not to accept them).

These UK Regulations allow consent to be obtained if a user has specifically amended or set controls on their computer’s internet browser in order to be able to accept cookies. Generally, consent would probably be obtained by the normal use of pop up pages or tick box acceptance, requiring a specific opt-in act on the part of the user to give that specific consent.

The trouble is that probably (like me), whether at home or at work, most people do not actively set or change their browser settings for the sites they visit, instead relying and using only the default settings in place. These however automatically permit the use of cookies and the Information Commissioner’s Office has confirmed that this is now not sufficient. Its guidelines say that “at present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent”.

Many website operating companies are unhappy about the limited notice that has been given to comply with the new requirements. Whilst the ICO have said they will not take any enforcement action until May 2012, businesses should utilise the ICO’s guidance to now become compliant. This is to:

1. consider the types of cookies you currently use and how you are using them and placing them on users’ computers;
2. consider and analyse how intrusive your use of cookies is; and
3. decide the best way for you to obtain users’ consent to take your cookies.

In addition to those providing electronic communications services being required to put in place clear security policies on processing personal data (which the ICO can audit), the Regulations also introduce a fixed penalty of £1,000 for a failure of the service provider to notify the ICO about a personal data breach that has been committed - but is that sufficient (with the reduction to £800 if paid within 21 days) to encourage internet service providers to comply with the new notification requirement? A service provider also needs to tell subscribers and users of such breaches if they are likely to be adversely affected.

There are new powers granted to police and the security services to request access to personal data and required internet service providers to establish procedures in order that they can comply with such requests at any time. The ICO has been granted better investigatory powers including fining up to £500,000 for serious breaches of the Regulations. Civil liberties groups may raise complaints about this.

Whilst the Government have further restricted the sending of unsolicited electronic mail for direct marketing purposes (direct marketers must now be clearly identified as such and need to inform about offers, competitions, qualifying conditions etc), it has so far resisted following the EU Directive’s provisions allowing those who have a legitimate interest in combating the sending of spam to be able to themselves take legal action against spammers in civil proceedings, rather than just the direct recipients.

Anyone whose business operates a website and particularly those who use cookies and/or collect personal data through their website for whatever reason would be advised to review and audit what they have at the moment and to bring how they operate in line with the new rules.