Website Legal Requirements – Cookies and Consent from the 26th of May 2011

As a result of changes to the Privacy and Electronic Communications Directive, it is now unlawful to use cookies to collect user data without first obtaining consent. There is an exception when a cookie is strictly necessary for a service which a user has requested i.e. where a user places an item in an online shopping basket and there is the need to ensure that payment is for the goods actually purchased.

Check Your Website

Website owners should audit their websites for compliance by checking what type of cookies are used and how. Consider whether or not the “necessary” exception applies. Also, do not forget that third parties placing content on your website i.e. advertisements may be setting cookies.

Assess how intrusive your use of cookies is and then decide which solution is most suitable for your business to obtain the required consent from users.

How to Obtain Consent

A few weeks ago the UK Information Commissioner published guidance on how to comply with the new laws. The guidance states that “you need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future”.

It was suggested that consent could be obtained via:

  • pop-ups, or
  • your terms of use, which users agree to upon registering with your website, or
  • text in a header or footer on pages of the website, or
  • inclusion in preferences that users set when using a website

Relying on browser settings is not acceptable. However the Information Commissioner has indicated that in the future when an adequate technical solution is developed for browsers this may suffice.

Consequences of Non-Compliance

During the next 12 months the Information Commissioner’s Office (ICO) will not penalise an organisation for breaches of the new laws. However, organisations should be taking steps now to ensure compliance with the new rules by May 2012, as failure to take appropriate steps now will be taken into account when formal enforcement begins in May 2012.

Penalties for Breach

The ICO can impose a fine of up to £500,000 for a serious breach.  A serious breach is defined as a serious contravention likely to cause substantial damage or distress.  The breach must have been deliberate, or the person responsible must have known or ought to have known that a breach would occur and then failed to take reasonable steps to prevent it.

The ICO plans to provide further details on this in October 2011.

Requirement to Notify of Personal Data Breaches

Additionally, there is now a new requirement for telecoms and Internet companies to inform the ICO and customers when personal data is lost, destroyed, altered, disclosed or accessed as a result of a security breach.

The ICO can also investigate the measures taken by website providers to safeguard the security of public electronic communications, investigate and fine websites depending on how they deal with personal data breaches.


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: