Start-Up Guide to Cookies
Businesses are required to obtain positive consent from visitors to their websites to store or retrieve usage information from users’ computers or mobile devices using cookies.
What are cookies?
While cookies and the information they transmit may not be able to identify a living individual on their own, they may well be able to do so in combination with other information held by the recipient of the transmitted information or a third party.
Are there any exceptions to the new rules?
There is only one exception to this new consent rule. The business will not need to get consent for an activity that is “strictly necessary” for a service requested by the user. For example, a business would not need consent for a cookie which the business uses to ensure that goods added to a customer’s basket were “remembered” on the next page, as this would be essential to allow the customer to purchase the goods.
What steps can you take now?
- Check what type of cookies you use and how they are used. You should identify which cookies are strictly necessary and may not need consent.
- Decide what solution to obtain consent will be best in the circumstances.
Can browser settings be used to indicate consent?
- Most browser settings are not sophisticated enough to allow a business to assume that the user has given their consent to allow the website to set a cookie.
- Not every visitor will use a browser.
What other options exist for indicating consent?
The business needs to provide information about cookies and obtain consent before a cookie is set for the first time. If you get consent at this stage you will not need to so again in future.
Many websites routinely use pop-ups or “splash pages” to make users aware of changes to the site or to ask for user feedback. Similar techniques could be a useful way of informing users of the cookies you use and the choices they have.
Terms and conditions
- You will need to gain a positive indication that users understand and agree to the changes (for example, by asking the user to tick a box).
Some cookies are deployed when a user makes a choice about how the site works for them. Consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work. However, it is important that the user is made aware that cookies are used to fulfil his choice.
Some objects are stored when a user chooses to use a particular feature of the site. In these cases, presuming that the user is taking some action to tell the webpage what they want to happen, a business could ask for their consent to set a cookie at this point. Again, the user must be made aware that cookies are used to enable the feature.
- A business may often collect information about how people access and use its site in the background and not at the request of the user. This type of activity will still require consent.
- The business should consider how it currently explains its policies to users and make that information more prominent.
- It should also provide more details about what the business does (for example, a list of cookies used with a description of how they work) so that users can make an informed choice about what they will allow.
- A business could, for example, place highlighted text in the footer or header of the web page or which turns into a scrolling piece of text when it wants to set a cookie on the user’s device.
Third party cookies
- If your website displays content from a third party (i.e. from an advertising banner) this third party may read and write their cookies onto your user’s devices.
- If the website allows or uses third party cookies, you should make sure you are doing everything you can to get the correct information to users to enable them to make an informed choice about what is stored on their device.
What are the penalties for failing to comply?
- If the ICO receives a complaint about a business’ website, the business would be expected to respond by:
– setting out how it has considered the complaint; and
– providing a realistic plan to achieve compliance.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please call 020 7404 0606 and ask for your usual Goodman Derrick contact.