25 Apr 2012 10:57am

Cookie compliance: doing nothing is not an option

From the end of May 2012, organisations with websites must make sure their cookie compliance rules are in order. Richard Anning, head of the IT Faculty at ICAEW, explains what businesses need to do under new regulations

From the end of May 2012, organisations that operate websites that collect ‘cookies’ from site visitors must obtain their consent or potentially face consequences from the Information Commissioner’s Office.

Organisations have had a year’s notice to put in place plans to inform users and obtain their consent; for those organisations that have not yet started work, the expression ‘doing nothing in not an option’ is now extremely appropriate!

A cookie is a small file, typically consisting of letters and numbers, that is downloaded onto a device when a user accesses certain websites. Cookies enable websites to recognise a user’s device and potentially save the user time on the current and subsequent visits.

They also enable the website operator to gather information, possibly personal, on website visitors. It is this latter aspect that is of concern to the regulators.

The requirements flow from the Privacy and Electronic Communications (EC Directive) Regulations 2003, updated in 2009. It was this latter directive that required governments in Europe to implement these changes by 25 May 2011, although a subsequent 12 month moratorium on the use of the ICO’s enforcement powers has given organisations additional time to conform to the new requirements.

The main change in the regulations has seen the move from an ‘opt-out’ system to an ‘opt-in’ for cookie use.

The issue now facing website operators is how to obtain the consent from website visitors for the use of all cookies and to ensure that clear information about the use of cookies is provided.

There are different types of cookie, some of which are more intrusive (and of greater interest to the ICO) than others. Some cookies are essential for the operation of the website (such as making online shopping baskets work) and are exempt from the regulations. Third party cookies (set on a user’s device by a third party website) are one of the more challenging areas in which to achieve compliance with the rules.

Those setting cookies must:

• Tell people that the cookies are there
• Explain what the cookies are doing
• Obtain their consent to store a cookie on their device.

It is this third point, obtaining consent that is proving most problematic. Organisations should start their projects with an audit of cookies so that they are aware what cookies they are collecting, whether they are necessary and the best method to gain consent.

The ICO has released two very helpful documents that outline the issues and provide guidance to help businesses become compliant. The most recent, issued in December 2011, is called ‘Guidance on the rules on use of cookies and similar technologies’ (available at http://goo.gl/et5Ve) and provides some very practical tips on how to approach the problem and ensure compliance.

The guidance provides a number of solutions for obtaining consent, including a variety of very useful screen mock-ups. Simple tips include a new heading in the top right corner of the screen (‘New: cookies info’), or a message bar at the foot of the page noting the use of cookies and seeking consent to set them, for example:

‘We use cookies to make your experience of our website better. To comply with the new e-Privacy Directive, we need your consent to set these cookies. I agree/No thanks. Find out more’.

Over time it is assumed that users’ knowledge of cookies will improve (especially given the wave of website changes likely to arise in May) and that website operators will increasingly be able to rely on settings in web browsers.

However, given the lack of knowledge of users currently and the different capabilities of web browsers, implied consent through this means will not be acceptable for some while.

An interesting example site to visit initially is the ICO website where you can see how the ICO has implemented its solution by means of a separate header bar seeking user consent.

As noted at the start, the regulations are now in force – the 12 month moratorium is simply over the ICO’s enforcement powers.

The most important thing is that organisations have plans in place to achieve compliance and that from the end of May they are operating their websites in accordance with the regulations, or at the very least have plans in place to achieve compliance that they can show to the ICO if asked.


Richard Anning is head of the IT Faculty at the ICAEW. For more information visit the Faculty site