The law change on internet cookies

Cookies, in internet terms, are small files issued by websites that sit on your computer. When you visit a site, it will normally leave a cookie on your PC, allowing it to perform a certain function.

Many of these are benign, or even beneficial: shopping basket systems, automatic log-ins, saved plays from online games and remember-my-details buttons all rely on cookies. However, they are also used for purposes that some people find unappealing.

Cookies nowadays are often used to deliver advertising – they make a note of which sites the PC has been used to visit, and tell some websites what type of adverts you may find interesting. If you visit a lot of sites about fishing, for instance, the next time you visit an unrelated website you might be shown adverts for fishing tackle.

A lot of people find this use of so-called ‘tracking cookies’ intrusive and so the EU has recently moved to clarify the law in that area.

What’s changed?
The changes to the law come from a piece of EU legislation called the Privacy and Electronic Communications Regulations, which was ratified in late 2009. All member states were required to implement the changes within their own laws by 25 May 2011.

The Government here decided to give businesses a 12-month ‘grace period’ for making the changes – while the law is in effect now, the changes won’t be enforced until next May.

Previously, websites had to inform people how they would use cookies and tell them that they could opt out. But now, instead of telling users they can opt out, websites must ensure the user has given consent for the cookie to be placed (click here for more details).

There is an exception to the rule, which is that consent isn’t required if a cookie is ‘strictly necessary’ for a service requested by the user.

As with many legal terms this is open to interpretation but the Information Commissioner’s Office (ICO), which is responsible for advising businesses on the new rules, says one example would be a shopping basket where a user is choosing goods to buy – the fact that the user has requested the service by choosing the products means that consent for placing a cookie is not required.

What do websites need to do?
The ICO’s advice to businesses is that website owners “cannot ignore these rules”. The way users give their consent isn’t set in stone, and there are several ways in which consent might be granted, such as displaying a pop-up message or including a consent clause in the terms a user must agree to when they create an account with a site.

The Information Commissioner Christopher Graham said: “This advice is very much a work in progress and doesn’t yet provide all of the answers.”

Because the changes are potentially quite large the ICO has given businesses several months to “get their house in order”, but Mr Graham added: “This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

These include a penalty of £1,000 on companies that don’t comply, or up to £500,000 for ‘serious breaches’.

For users, the ICO has said that over the next few months they are “likely to start to see more information about cookies on sites and be given more choices about these cookies”.

If a website appears not to be complying with the new rules within the transition period the ICO says it will provide advice and possibly ask them to explain what changes they will be making.

A question of consent
But there is the question of what constitutes consent and what is regarded as ‘strictly necessary’. The Department for Culture Media and Sport (DCMS) is the government department responsible for implementing the regulations here, and it wants the law to be ‘light touch and business friendly’. Its guidelines say the Government won’t specify the technical means by which websites obtain consent.

After the changed law came into force, Communications Minister Ed Vaizey said in an open letter that because the law calls for consent and not ‘prior’ consent, “there is no indication in the definition as to when that consent may be given, and so it is possible that consent may be given after or during processing”.

This upset privacy advocacy groups. Alex Hanff of Privacy International said Mr Vaizey’s interpretation of the law was a “total farce” and he was “putting two fingers up at the law”.

Jim Killock of the Open Rights Group said: “Cookies weren’t meant to be used like this. Because profiling people’s interests without consent is morally reprehensible, and an attack on our fundamental right to privacy, the EU chose to legislate to require consent.”

Our verdict
As things stand, it’s not clear what’s going to happen. The ICO’s website already has a notice at the top of its home page asking users to tick a box to accept cookies, but as far as we know it’s the only one so far to do so.

The rules are still unclear as to how far companies have to go to gain users’ consent: the Government says sites can use the settings from users’ browsers to infer consent, but the ICO’s guidance is that because not all browsers offer these settings, that is not sufficient.

The ICO and the DCMS are likely to issue more guidance over the next few months as websites start to bring themselves up to date, and we will keep you informed as that happens.