Cookie Law

Please note: Cookie laws have changed with effect from 26th May 2011. Also we use the regulations of http://www.aboutcookies.org/ because off the high quality content.

On 26th May 2011, new laws came into force in the UK that affect most web sites. If cookies are used in a site, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) provide that certain information must be given to that site’s visitors and the user must give his or her consent to the placing of the cookies.

The UK Regulations implemented into UK law the provisions of the amended E-Privacy Directive of 2009. The Directive required that the new laws be implemented into the laws of all EU Member States by 25th May 2011. The UK is only one of three member states to meet this deadline.

Below you will find details on the UK Regulations and some additional information on the E-Privacy Directive itself. Because each Member State has some discretion in how it implements a Directive, the cookie laws in other European countries may differ from those of the UK.

UK Regulations

The actual wording of the Regulations

The relevant rules are found in amended regulation 6, which reads as follows:

  1. – (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment –

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information –

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

 

What does this mean?

The UK Regulations mean that a website operator must not store information or gain access to information stored in the computer (or other web-enabled device) of a user unless the user “is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information” and “has given his or her consent”.  The consent requirement in the UK Regulations replaces the previous position which provided that visitors should be given the option to refuse cookies.

The only cookies that do not need users’ consent are those that are necessary to fulfill the user’s request. That will cover, for example, the use of cookies to remember the contents of a user’s shopping cart as the user moves through several pages on a website. Other cookies, including those used to count visitors to a site and those used to serve advertising, will require consent.

The term “consent” is not defined in the UK Regulations or the Data Protection Act 1998.  It is, however, defined in the Data Protection Directive of 1995, as “any freely given specific and informed indication of his wishes”.  This Directive was implemented in the UK by the Data Protection Act.

The consent requirement has been the subject of much discussion since the publication of the amended E-Privacy Directive.  Various authorities, including the Article 29 Working Party (a coalition of data protection regulators from across the EU), the UK Government and the Information Commissioner’s Office (ICO) have voiced conflicting opinions on how the consent requirement will operate in practice.  The authorities have differing views on whether consent should be obtained prior to the placing of cookies. It is difficult to see how anything other than prior consent will comply with the wording of the UK Regulations.

“Consent must be obtained before the cookie is placed and/or information stored in the user’s terminal equipment is collected, which is usually referred to as prior consent,” said the Working Party’s Opinion (24-page / 202KB PDF). “Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user.”

“Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies,” said the Working Party. “It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes.”

The Working Party did not go as far as to say that every website needs to ask every visitor to accept every cookie, though. Many cookies are used by advertising networks across multiple sites. For these cookies, consent can be given once to a network and cover all the sites that network serves, according to the Working Party.

Shortly before the publication of the Regulations the Information Commissioner published guidance that offers advice on when and how the consent may be given.

Although the guidance suggests a number of methods to obtain consent it stops short of providing definitive guidance on how to achieve compliance, leaving it to businesses and organisations to review their use of cookies and consider how they might be able to obtain the necessary consent.

Both the ICO and the UK Government have not ruled out the use of browser settings to achieve compliance in the future.  The Government has set up a working group comprising Mozilla, Apple, Microsoft, Google, Yahoo, the Internet Advertising Bureau and Adobe to work on a technical solution. In the meantime the ICO advises businesses to obtain consent some other way.  The guidance states:

“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser.  They may, for example, have used an application on their mobile device.  So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way”.

The guidance continues:

“You need to provide information about cookies and obtain consent before a cookie is set for the first time.  Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future”.

The ICO will consider issuing more detailed advice if they deem it appropriate.  They have stated in their guidance that this may include further examples of how to gain consent for particular types of cookies as methods develop.

Penalty for non-compliance

Fortunately for operators of web sites, the ICO has indicated that during the next twelve months it will not be taking any enforcement action against companies that can show that they are considering their use of cookies and working on solutions to the problem of obtaining consent.  The key message from the ICO is that inaction is not acceptable. If the ICO is of the view that organisations are not making adequate preparations to be compliant by May 2012 a warning may be issued as to the use of the Information Commissioner’s future powers.

From May 2012 the ICO will follow the approach to enforcement set out in the Commissioner’s Data Protection Regulatory Action Policy. In deciding whether enforcement action is appropriate the ICO will be concerned with the impact of the breach of the new cookie law on the privacy and other rights of website users, not just with if there has been a technical breach of the UK Regulations.

The UK Regulations carry a maximum fine of £500,000 for serious breaches. It is anticipated that this power will only be used in limited circumstances. Before this the fine was £5,000 and companies may have been willing to run the risk but with these increased powers the result of enforcement action is potentially more severe.

The Data Protection Act Can Also Apply

The UK’s Data Protection Act of 1998 derives from the EU Data Protection Directive and does not contain specific provisions relating to cookies. However, it does require that where personal information is collected then data subjects (which will include internet users) should be told of this collection or information about it should be made available to them.

Even where it is possible to anonymise information, the information may still be classed as personal data under the Act if it can be traced back or put together with other information to identify the individual.

Therefore the requirements of the Act are that the owner of a web site using cookies (the data controller) must make its identity clear, the purposes for it having the information and anything else necessary in the circumstances to make the processing fair. This information must also be provided when personal data are collected from third parties.

For further information on data protection refer to our sister site,http://www.out-law.com/.

 

Summary

There is a requirement under the amended E-Privacy Directive and the UK Regulations to

  • tell users about cookies and what you are going to use their information for; and
  • obtain their consent to the placing of the cookies..

The Data Protection Act also requires users to be provided with certain information. A simple way to provide internet users with information is to provide them with a privacy policy, a data protection notice, or both. The privacy policy or notice if used properly can meet the information provision requirements of both the Directive and the Act. For further information on implementing a privacy policy or data protection notice online see the OUT-LAW.COM guide on Data Protection.

Obtaining users’ consent to the placing of a cookie is technically more difficult. As yet the browser settings option for obtaining consent is not sufficient in the UK as browsers are currently not sophisticated enough. Until such time as this becomes a possibility (if at all) the ICO and the UK Government advise that consent must be obtained in some other way. The ICO guidance which is a starting point for compliance for organisations, suggests a number of different ways to obtain consent:

  • pop ups or similar techniques asking for consent can be used. Pop ups are discouraged by Web Content Accessibility Guidelines. They may also spoil the experience of using a website  Users can also block pop ups by default, making this impractical;
  • consent can be obtained by using terms of use or terms and conditions.  In using this option consent is given by the user when they first register or sign-up.  If this method is used it is essential that a user is made aware of any changes made to the terms to include consent for cookies and specifically that the changes relate to the use of cookies.  It would then be necessary to obtain a positive indication that the user understands and agrees to the changes;
  • preferences that users choose when visiting a site can also be used as a means of obtaining consent.  Consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work, provided sufficient information about the use of the cookies is provided.  This would apply to any feature where a user is told that a site can remember certain settings they have chosen;
  • website features, such as videos, that remember how users personalise their interaction can also determine user consent.  In this case, where the user is taking some action to tell the webpage what they want to happen – opening a link, clicking a button or agreeing to the functionality being ‘switched on’ – then their consent to set a cookie can be asked at this point;
  • for use of analytic cookies to gather information about how people access and use a site it may be possible to add a footer or header to a webpage containing text.  This text is highlighted or turned into a scrolling piece of text when a site wants to set a cookie on a user’s device.  In turn this could direct the user to read additional information, possibly contained in a privacy policy, and make an appropriate choice;
  • where a site allows a third party to set cookies the process of getting consent is more difficult.  Initiatives that seek to ensure that users are given more and better information about the use of information, for example the use of the “i” symbol, referred to below, should be used.  Anyone whose site uses or allows third party cookies must ensure that the right information is delivered to users so they can make informed choices.

As an alternative businesses may wish to consider using a non-cookie site. A simple brochure-style site with no way to login and no e-commerce functionality may not use cookies, meaning that the new law will not affect the site. This option may not be practical for many businesses as it could place them at a competitive disadvantage to competitors and sites outside the EU. A non-cookie site may lose revenues from advertising meaning that it is not cost effective to run such a site. Organisations could charge for these sites but is it unlikely that users will pay to see such a site.

In the absence of definitive methods a hybrid of the above methods is likely to be the way forward for the time being at least, namely a combination of information and consent.

The ICO’s own website places cookies and since 26th May a consent ‘opt-in’ box has been placed at the top of their homepage, requiring users to check a box to consent to the placing of cookies.

Website owners/businesses should consider what would work for them by looking at their business and how they use their website.

 

Useful Links

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011-06-20

Guidance on changes to the rules on cookies and similar technologies for storing information

Information Commissioner’s Guidance

Department for Culture, Media and Sport open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies

Directive of 2009 amending Directive of 2002

Data Protection Act 1998

Disclaimer: We hope you find this content useful. It was prepared by lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, pleasecontact us.

How to control cookies…

All recent versions of popular browsers give users a level of control over cookies. Users can set their browsers to accept or reject all, or certain, cookies. Users can also set their browser to prompt them each time a cookie is offered. The main browser types are listed below. If you have a different browser type, please contact us. You can also control Adobe Local Shared Objects on your computer, also known as LSOs or Flash cookies, but not with your browser. Instead, Adobe’s website offers tools to control Flash cookies on your computer. Users of the Firefox browser can also get an add-on to detect and delete Flash cookies.

Windows PC

Google Chrome

Click on the “Tools” menu and select “Options”. Click the “Under the Bonnet” tab and locate the “Privacy” section, and choose the “Content settings” button. Click the “Cookie settings” tab and choose your preferred settings. Google Chrome allows all cookies by default, but you can restrict the behaviour of first-party and third-party cookies or even block them completely. Click on the Close button when you’ve finished.

Internet Explorer 8.0

Choose Tools and then Internet Options Click the Privacy tab Move the slider to choose your preferred settings. For more specialised cookie settings click on Advanced, check the ‘Override cookie handling’ button and modify the settings to suit your requirements.

Internet Explorer 7.0

Choose Tools and then Internet Options Click the Privacy tab Move the slider to choose your preferred settings. The default setting is medium and the menu allows you to select the level of “filtering” on the basis of (a) the source of the cookie and (b) whether the source has a privacy policy. For more specialised cookie settings click on Advanced

Internet Explorer 6.0

Choose Tools and then Internet Options Click the Privacy tab Move the slider to choose your preferred settings. The default setting is medium and the menu allows you to select the level of “filtering” on the basis of (a) the source of the cookie and (b) whether the source has a privacy policy. For more specialised cookie settings click on Advanced.

Internet Explorer 5.0

Choose Tools and then Internet Options Click the Security tab Select Internet, then Custom Level Choose one of the options

Internet Explorer 4.0

Choose View and then Internet Options Click the Advanced tab Scroll down to the yellow exclamation icon under Security and choose one of the three options (accept or reject cookies or warn before accepting cookies).

Internet Explorer 3.0

Choose View, then Options and Advanced. You can click on the Warn Before Accepting Cookies command.

AOL 9.0

From the AOL Toolbar, select Settings Select Internet [Web] Options Select Use your Internet Explorer Settings to set advanced browser options Select the Privacy tab Select Advanced Deselect override automatic cookie handling button Click OK to exit.

AOL 8.0

From the AOL Toolbar, select Settings Select Preferences Select Internet Properties (WWW) Select the Privacy tab Select Advanced Deselect override automatic cookie handling button Click OK to exit.

AOL 7.0 with IE 6.x

From the AOL Toolbar, select Settings Select Preferences Select Internet Properties (WWW) Select the Privacy tab Select Advanced Deselect override automatic cookie handling button Click OK to exit.

Mozilla

Choose Preferences from the Edit menu. Select Privacy & Security, then select Cookies. Choose your preferred settings.

Mozilla Firebird 0.7

Click on Tools, then Options Select the Privacy icon in the left-hand panel Click on Cookies. Choose your preferred settings.

Mozilla Firefox 1.0

Click on Tools, then Options Select the Privacy icon in the left-hand panel Click on Cookies. Choose your preferred settings.

Mozilla Firefox 1.5

Click on Tools, then Options (or Edit | Preferences on Linux) Select the Privacy icon in the left-hand panel Click on Cookies. Choose your preferred settings (You can configure which sites are allowed to set cookies, how long to keep them for, and view and manage your existing cookies.).

Mozilla Firefox 2.0

Click on Tools, then Options (or Edit | Preferences on Linux) Select the Privacy icon in the left-hand panel Click on Cookies. Choose your preferred settings. Note that the option to block third-party cookies has been removed from Firefox 2’s user interface. Firefox 2 users who wish to limit allowed cookies to those set by the originating website can use about:config to modify the preference network.cookie.cookieBehavior to “1”. To modify this property simply type “about:config” (without quotes) in the Location Bar, press Enter and modify the value in the resulting page. Other options for the network.cookie.cookieBehavior preference are set out below: “0”  All cookies are allowed. (Default) “1”  Only cookies from the originating server are allowed. “2”  No cookies are allowed.

Mozilla Firefox 3.0

Click on Tools, then Options (or Edit | Preferences on Linux) Select Privacy Select Cookies. Choose your preferred settings (You can configure which sites are allowed to set cookies, how long to keep them for, and view and manage your existing cookies.).

Netscape Navigator 7

Choose Preferences from the Edit menu. Select Privacy & Security, then select Cookies. Choose your preferred settings.

Netscape Navigator 6

Choose Preferences from the Edit menu. Select Privacy & Security, then select Cookies. Choose your preferred settings.

Netscape Navigator 4

Go to the task bar and click Edit. Click Preferences and Advanced, and then choose your options in the Cookies box.

Deepnet Explorer

Click on Tools Then select Cookie Manager. Here you will be able to access various aspects of the Cookie Manager.

Deepnet Explorer 1.1+

Choose Clean up from the Tools menu Choose Clear Cookies All cookies will be removed.

Deepnet Explorer 1.5.3 (BETA 3)

Choose Tools Click on Web Browser Options Cookie Filter gives you control over the black and white list and the Cookie Manager gives you information about all the cookies on your PC.

Opera (Windows and UNIX)

Go to Tools in the main menu Go to Preferences at the bottom of the File menu (or press Alt+P to access them directly). Click Privacy and select one of the available options. In addition to choosing different settings for first-party (“normal”) and third-party cookies, you may edit cookie settings on a domain/server basis or even edit individual cookies by clicking the “Manage cookies” button.

 

Apple Macintosh

 

Internet Explorer 5 (MacOS X)

Choose Preferences from Explorer menu Select Receiving Files options Select Cookies Choose your preferred settings

Internet Explorer 5 (MacOS 9)

Choose Preferences from Edit menu Select Receiving Files options Select Cookies Choose your preferred settings

Mozilla

Choose Preferences from the Edit menu. Select Privacy & Security, then select Cookies. Choose your preferred settings.

Netscape Navigator 7

Choose Preferences from the Edit menu. Select Privacy & Security, then select Cookies. Choose your preferred settings.

Netscape Navigator 6

Choose Preferences from the Edit menu. Select Privacy & Security, then select Cookies. Choose your preferred settings.

Safari 1.0 (MacOS X)

Choose Preferences from Safari menu Select Security icon Cookie settings are shown in window Choose your preferred settings.

Opera

Go to Opera in the main menu and select Preferences (or press Alt+P to access them directly) Select Privacy In addition to choosing different settings for first-party (normal) and third-party cookies, you may edit cookie settings on a domain/server basis or even edit individual cookies by clicking the Manage cookies button.

How to delete cookies…

Most cookies are easy to delete. Just pick your browser from the choices below and follow the instructions. If your browser isn’t listed, please contact us.

You probably have Adobe Local Shared Objects on your computer, also known as LSOs or Flash cookies. Generally you can’t delete them with browsers controls, but Adobe’s website offers tools to control Flash cookies on your computer. Users of the Firefox browser can also get an add-on to detect and delete Flash cookies.

 

Windows PC

 

Google Chrome

Click on the “Tools” menu and select “Options”.
Click the “Under the Bonnet” tab, locate the “Privacy” section and click the “Clear browsing data” button.
Select “Delete cookies and other site data” to delete all cookies from the list (alternatively, you can remove all cookies created within a specific time period by selecting the period you want from the dropdown list).
Select “Clear browsing history” to delete traces of which websites you’ve visited.
Select “Clear download history” to delete records of which files and programs you’ve downloaded.
Select “Empty the cache” to delete cached website pages.
You can also delete saved passwords (which log you into websites) and saved form data (such as your name and address).
Then click on the “Clear browsing data” button.
Click on the Close button when you’ve finished.

Internet Explorer 9

Open Internet explorer window
Click the “Tools” button
Point to “safety” and then click “delete browsing history”
Tick the “cookies” box, then click “delete”

Internet Explorer 8

Click “Safety” on the Command bar
Select “Delete Browsing History”
Select the option for cookies and click DeleteAlternatively, Internet Explorer 8’s new InPrivate browsing feature allows users to browse the internet without recording information from visited sites (including cookies). To use InPrivate mode:

Click “Safety” on the Command bar
Select “InPrivate Browsing”

Internet Explorer 7.x

Exit Internet Explorer 7, and then exit any instances of Windows Explorer
Click Start, click Run, type inetcpl.cpl, and then press ENTER
On the General tab, click Delete under Browsing History in the Internet Properties dialog box
In the Delete Browsing History dialog box, click Delete Cookies
In the Delete Cookies dialog box, click Yes.

Internet Explorer (all other versions)

Internet Explorer saves cookies in more than one location, depending on the version of the browser and the version of Microsoft Windows being used.

The best way to find and delete them is to close Internet Explorer then use your file management software (such as Windows Explorer) and search for a folder called ‘cookies’.

AOL 8 and 9

Sign on and select Settings from the toolbar.
Version 9.0 users should select the By Category tab and click the Internet [Web] Options link, while for Version 8.0 and below click Internet Properties (WWW).
Click Settings.
Note: Windows Vista will see more than one Settings button. Click the button in the Browsing history section.
Click View Files. Your list of cookies (plus your other temporary internet files) will be displayed.
If you wish to delete any of the cookies or files, right-click on them and choose Delete.

Mozilla

Choose Cookie Manager from the Tools menu.
Choose Manage Stored Cookies.
Remove any cookie from the list, or remove all cookies.

Mozilla Firebird

Click on Tools, then Options
Select the Privacy icon in the left-hand panel
Click on Cookies
Click on Stored Cookies
To remove a single cookie click on the entry in the list and click on the Remove Cookie button
To remove all cookies click on the Remove All Cookies button

Mozilla Firefox

Click on Tools, then Options (or Edit | Preferences on Linux)
Select Privacy
In the Cookies panel, click on Show Cookies
To remove a single cookie click on the entry in the list and click on the Remove Cookie button
To remove all cookies click on the Remove All Cookies button

Netscape Navigator 7.x

Choose Cookie Manager from the Tools menu.
Choose Manage Stored Cookies.
Remove any cookie from the list, or remove all cookies.

Netscape Navigator 6.x

Choose Cookie Manager from the Tools menu.
Choose Manage Stored Cookies.
Remove any cookie from the list, or remove all cookies.

Netscape Navigator 4.x

In Netscape, all cookies are stored into one file, called Cookies.txt, in the user preferences folder, making them easy to find and delete. The folder can be located by using your file management software to search your hard disk drive for “cookies.txt”.

Users of Netscape Navigator 4.x may also stop cookies from being written to the hard drive, by making the cookies file read only. However, even if the browser can’t “write” cookies to the hard drive, it can still cache them, and it may create a new cookie file.

Opera

To delete all cookies at the end of every session, select it in the privacy settings under Tools > Preferences.
Click on Manage cookies to delete specific cookies or cookies from specific domains.

To delete all cookies immediately, go to Delete private data on the Tools menu.

Deepnet Explorer 1.1+

Choose Tools and then Internet Options
Click the Privacy tab
Move the slider to choose your preferred settings.


Apple Macintosh

Microsoft Internet Explorer 5 (MacOS X)

Choose Preferences from Explorer menu
Select Receiving Files options
Select Cookies
Select the Cookies to be deleted from the list
Press Delete button

Microsoft Internet Explorer 5 (MacOS 9)

Choose Preferences from Edit menu
Select Receiving Files options
Select Cookies
Select the Cookies to be deleted from the list
Press Delete button

Mozilla

Choose Cookie Manager from the Tools menu.
Choose Manage Stored Cookies.
Remove any cookie from the list, or remove all cookies.

Return to top

Netscape Navigator 7.x

Choose Cookie Manager from the Tools menu.
Choose Manage Stored Cookies.
Remove any cookie from the list, or remove all cookies.

Netscape Navigator 6.x

Choose Cookie Manager from the Tools menu.
Choose Manage Stored Cookies.
Remove any cookie from the list, or remove all cookies.

Safari 1.0 (MacOS X)

Choose Preferences from Safari menu
Select Security icon
Press Show Cookies button
Select the Cookies to be deleted from the list
Press Delete button

Opera

To delete all cookies at the end of every session, select it in the privacy settings under Opera > Preferences
Click on Manage cookies to delete specific cookies or cookies from specific domains.

To delete all cookies immediately, go to Delete private data on the Tools menu.