How to comply with the UK's new cookie laws
Published: 23 May 2011
The new requirement for website operators to gain the user's consent before storing data in a cookie is a potentially onerous one and there are a number of practical issues with technical implementation. The Information Commissioner, who has responsibility for ensuring the new regulations are followed, recognises this and has indicated that the new regulations will be implemented in phases. Further guidance from the ICO is expected in the next few weeks.
However, the Information Commissioner has also made it clear that the ICO expects website operators to prepare to comply with the new regulations.
How to comply with the new Cookie regulations
We've identified the following process that will allow you to prepare to meet the requirements of the new cookie regulations, in line with the ICO's recommendations:
1. Conduct a Cookie Audit. Build an inventory of the cookies created and updated by your website, and the relevance of each cookie to how your website operates. First-party and Third-party cookies need to be included; as do session cookies and persistent cookies.
To start, build a list of cookies using one of the many Firefox add-on extensions (e.g. the Web Developer Extension) and then review each cookie in turn. You might need to refer to a website developer for technical assistance, and in specific cases you may wish to talk to your legal advisors too. If performing a comprehensive cookie audit sounds like it's beyond your technical capabilities - contact us for help.
(We performed a Cookie Audit for our website - here's the link.)
3. Consider how necessary each cookie is. In particular, review whether any of the cookies identified in your audit could be removed, or whether it is possible to reduce the overall privacy impact of your website for visitors.
4. Decide on a solution for obtaining consent - although be aware that we are still waiting for the ICO to provide further guidance on the implementation of the regulation, which could have implications for the methods that websites are allowed (or not allowed) to use to gain consent.
One of the important technical issues here is storing the visitor's preference. If the user declines to give consent for storing cookies, then it will not be (legally) possible to store their preference in a cookie, which could mean that website operators have to ask these users for consent on every visit. We're looking forward to seeing what the ICO advises in these circumstances. Contact us if you have any queries, or subscribe to our email newsletter and we'll update you when the situation becomes clearer.