Website Legal Requirements – Cookies – Updated ICO Guidance

The UK Information Commissioners Office (ICO) will now start to investigate and prosecute companies for breaches of the Privacy and Electronic Communications (Amendment) Regulations. These set out the obligations of website operators to provide users with information about cookies and obtain user consent to the use of cookies. Failure to comply with the rules can result in a fine of up to £500,000.

What is a Cookie?

Cookies are small text files placed on a user’s computer which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing.

Changes to the Data Commissioner’s Guidance

On the 25th of May 2012 the ICO revised its guidance on how to obtain consent from users to the use of cookies.

It is now acceptable for website operators to obtain implied consent from users to the use of cookies, provided that:

  • users take some action from which consent can be inferred, i.e. accepting a privacy policy on a website;  and
  • users understand that their actions will result in cookies being set.

Where such implied consent is obtained by users agreeing to a privacy policy, the privacy policy must be easy to find on the website and not be difficult to understand.

However, where companies are collecting sensitive personal data (such as health information), be aware that implied consent will probably not suffice and explicit consent will need to be obtained.

Monitoring and Penalties for Breach

It is unlikely that monetary fines will be issued by the ICO in the first instance for failure to comply with the new cookie rules. The ICO has stated that it will consider ensuring compliance by requiring companies to give formal undertakings and by issuing enforcement notices.  Compliance of websites generally will be monitored by the ICO via its online reporting tool. Members of the public will be able to report cookie concerns about particular websites or sectors, by using the online tool on the ICO’s website.


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: