Website Legal Requirements – Cookies – New Guidelines

From the 26th of May 2012 the UK Information Commissioners Office (ICO) will start prosecuting companies for breaches of the Privacy and Electronic Communications (Amendment) Regulations. These set out the obligations of website operators to provide users with information about cookies and obtain their consent when using cookies. Failure to comply with the rules can result in a fine of up to £500,000.

What is a Cookie?

Cookies are small text files placed on a user’s computer which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing.

The New Rules

The new rules apply to the use of all cookies or similar technologies for storing information such as flash cookies, web beacons or bugs. No distinction is made between different types of cookies in the rules. They apply to both session and persistent cookies and first party and third party cookies.


Consent must be freely given, specific and informed, unless the cookie is ‘necessary’ for the delivery of the service, for example, where the cookie takes the user from a product page to a payment page. This generally means that a user needs to “opt in” to the use of cookies.

The more specific the consent is the less likely it is that you will be in breach of the rule.  For example, if you obtain consent before the cookie is set you will have specific consent. If you rely on implied consent you will need to show that the user has taken some positive action to imply consent. The UK Chamber of Commerce has provided some suggested wording for use on websites.

Cookie Information

Clear and comprehensive information about the type of cookies being used and the purposes for which these are being set must be provided. The UK Chamber of Commerce suggests categorising cookies into 4 groups – strictly necessary, performance, functionality and targeting/ or advertising cookies.

Who do the Rules Apply to?

The Regulations do not define who is responsible for complying with the rules so primarily it is the person/company setting the cookie. Where third party cookies are used both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

Organisations based in the UK will be subject to the rules even if their website is hosted outside of the UK. If organisations are based outside of the EU but their websites are designed or products and/or services are directed at EU customers they should provide information and choices about cookies that comply with the rules.

Guidance on How to Comply with the New Rules

The ICO has issued non-binding guidance suggesting ways in which consent to the setting of cookies can be obtained and the International Chamber of Commerce (ICC) UK’s guidance also suggests various methods for complying with the notice requirements. A summary of these suggestions and some examples from the guides have been set out below.

  • Terms and Conditions: When users sign-up for using a website, consent to the use of cookies should be obtained on registration, specifically or by reference to a privacy policy, cookie policy or terms and conditions. This does not however cover the problem of obtaining consent from existing users.
  • Banners /Footers: Where websites have cookies built into the landing page the use of cookies should be highlighted in a prominent place on the landing page i.e. via a banner – as on the ICO home page,  or in a footer or information box – as on the website.
  • Pop-ups: Each time a cookie is to be set a pop-up will inform the user. By continuing to use the website, the user will be deemed to have consented to the cookie. However in practice, these are not a very practical solution, particularly where numerous cookies are used.
  • Settings /Features: Where users can choose preferences when using a website for example via the use of videos that remember how users personalise their interaction, these settings/feature could be used to obtain consent.

Additionally, the Internet Advertising Bureau Europe (IAB) has developed a voluntary code using the display of an icon on a website whenever an advert tracks a users’ behaviour. By clicking on the icon the user can switch off behavioural adverts. However this only apples to the adverts of companies who are members of the scheme.

How to Avoid Fines

Despite the impending May deadline, many companies have not taken any action to amend their websites and are simply waiting to see what happens. In light of the guidance from the ICO this is not advisable.

You should be carrying out a cookie audit, if you have not already done so to review the use of cookies on your website. You will need to assess what type of cookies you use, how long they are being used and remove any redundant or unnecessary cookies.

Thereafter you should update the information you provide about cookies in your privacy policy or create a separate cookie policy, ensuring that this information is easy to find on your website. You need to state the type of cookies you use, why you use them and how users can opt out of you using such cookies.

You also need to review the steps that you take to obtain consent to any cookies you use. How and when the consent is obtained. Is it implied, or specific. Also do not forget to provide information about any third party cookies that are placed and provide links to information about these that third parties may provide.

Enforcement by the ICO

From 26th May 2012 you must comply with the new rules and the ICO will start taking formal action. The ICO has stated that they will be selective. For example, they have clearly indicated that they are unlikely to prosecute companies who only use analytic cookies and will concentrate on websites where no steps have been taken towards collecting consent or where particularly intrusive cookies are used.


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: