Member Article

With the Information Commissioner's Office (ICO) grace period for enforcing the new cookies rules almost at an end, companies should work with their website developers at an early stage to ensure compliance. The ICO will soon be confirming that its 12 month ‘lead in’ implementation period has come to an end.  Website operators then run the risk of enforcement action and fines if they fail to comply with the new cookies regime.

What is a cookie?

Cookies are small pieces of code which are implanted by websites on a user’s computer. A cookies file can collect an array of information, as well as track a user’s browsing habits, often without the user knowing about it.

The rules

The change in law on the use of cookies, which has been implemented through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, came about to recognise that cookies can invade people’s privacy, and aims to give users more choice about how their internet activity is monitored. 

The 2011 Regulations provide that website operators can only use cookies on their websites if the user:

• has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed
• has given consent to the use of the cookie

Website development: Considerations

A company looking to launch a new website can only provide clear information to users about cookies if it, itself, has a good understanding of the cookies being used.

It is therefore vital that companies work with their website developers as early as possible to understand what cookies the website will be using, why those cookies are required, and what the cookies actually do. 

Whilst the company will be relying on the website developer’s expertise and information, it is the company that is responsible for complying with the 2011 Regulations.  For this reason, it is sensible to build warranties relating to cookies into any website development contract.

Is consent required?

If the cookies being used on the website are ‘strictly necessary’ to enable the website to provide a requested service to a user, then the consent of the user to place the cookie will not be required.

It is prudent to explore this with the website developer early on.

Companies should note that the ICO has confirmed (in its May and December guidance), that the ‘strictly necessary’ exception will be interpreted very narrowly. 

A company should, therefore, satisfy itself that the exception applies. If it later transpires, on further analysis, that certain cookies are not essential to the website’s functionality in providing the service requested, the company will not be able to rely on the exception, and will have to get user consent, or it will find itself non-compliant. 

If consent to place the cookie is required, the ways in which consent will be obtained from users can then be explored by the company and built into the website design/specification.

Final thoughts

Our experience shows that companies are only considering their use of cookies at a late stage in website development. 

Carrying out due diligence at an early stage, and addressing cookies within the website development contract, will avoid the need for companies to sweep up any crumbs at the last moment.