Websites Legal Requirements – Cookies and Consent

As a result of the Citizens’ Rights Directive, from the 25th of May 2011 the legal requirements for UK websites will change and website operators will need to obtain prior consent from users before using cookies. This will change the UK cookie consent policy from “opt out” to “opt in”.

What is a Cookie?

Cookies are small text files placed on a user’s computer by certain websites to allow the saving of user names and passwords, user preferences and certain user actions to allow targeted marketing.

Current Law on Cookies – Opt Out

Cookies can be used on websites provided that consent is obtained from users. Consent does not have to be obtained prior to the cookie being placed and is usually obtained via the privacy policy of a website. The privacy policy should state that cookies are used on the website, the purpose for which cookies are used and provide an opportunity for the user to refuse cookies i.e. opt out. By accepting the privacy policy – by virtue of using the website – consent to the use of cookies is deemed to have been given.

This is the current view taken by the UK Information Commissioner.

Prior Consent required from the 25th of May 2011 – Opt In

Under the Citizens’ Rights Directive, from May 2011 consent must be obtained before a cookie can be placed, unless the cookie is ‘necessary’ for the delivery of the service, for example where the cookie takes the user from a product page to a payment page. In addition, where it is technically possible and effective, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

This means that from May a user will generally need to “opt in” to the use of cookies. However, it is not clear whether the new law requires that a user should give consent each time a cookie is placed, or whether a one-off consent when a user sets up their web-browser suffices.

Guidance on New Rules

Guidance should be provided by the EU on this issue in early 2011 which gives website operators little time to adapt their websites prior to the May deadline. The UK, along with several other countries, has indicated that it will just copy the wording of the Directive and leave interpretation of the new rules to the Information Commissioner’s Office (ICO).


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: