How to comply with the UK's new cookie laws

23 May 2011

The UK's Privacy and Electronic Communications Regulations are changing - critically, the new revisions to the legislation requires websites that use cookies to gain consent for using those cookies from each website visitor. We look at how to respond to this new legal requirement.

How to comply with the UK's new cookie laws

The new cookie regulations are intended to address concerns about privacy, but apply to all cookies, regardless of whether they are potentially intrusive or not, with very few exceptions. Most modern websites use cookies and accordingly the updated regulations will impact almost all website operators.

The new requirement for website operators to gain the user's consent before storing data in a cookie is a potentially onerous one and there are a number of practical issues with technical implementation. The Information Commissioner, who has responsibility for ensuring the new regulations are followed, recognises this and has indicated that the new regulations will be implemented in phases. Further guidance from the ICO is expected in the next few weeks.

However, the Information Commissioner has also made it clear that the ICO expects website operators to prepare to comply with the new regulations.

How to comply with the new Cookie regulations

We've identified the following process that will allow you to prepare to meet the requirements of the new cookie regulations, in line with the ICO's recommendations:

1. Conduct a Cookie Audit. Build an inventory of the cookies created and updated by your website, and the relevance of each cookie to how your website operates. First-party and Third-party cookies need to be included; as do session cookies and persistent cookies. 

To start, build a list of cookies using one of the many Firefox add-on extensions (e.g. the Web Developer Extension) and then review each cookie in turn. You might need to refer to a website developer for technical assistance, and in specific cases you may wish to talk to your legal advisors too.  If performing a comprehensive cookie audit sounds like it's beyond your technical capabilities -  contact us for help.

(We performed a Cookie Audit for our website - here's the link.)

2. Assess how intrusive your use of cookies is. Understanding the degree to which each cookie impacts your website's visitors' privacy is key to an accurate consideration of how to comply with the regulations. Your cookie audit may have included an assessment of this impact.

3. Consider how necessary each cookie is. In particular, review whether any of the cookies identified in your audit could be removed, or whether it is possible to reduce the overall privacy impact of your website for visitors.

4. Decide on a solution for obtaining consent - although be aware that we are still waiting for the ICO to provide further guidance on the implementation of the regulation, which could have implications for the methods that websites are allowed (or not allowed) to use to gain consent.

One of the important technical issues here is storing the visitor's preference.  If the user declines to give consent for storing cookies, then it will not be (legally) possible to store their preference in a cookie, which could mean that website operators have to ask these users for consent on every visit.  We're looking forward to seeing what the ICO advises in these circumstances. Contact us if you have any queries, or subscribe to our email newsletter and we'll update you when the situation becomes clearer.