Nearly everyone is aware of the need for privacy notices on websites and the increasing importance of ensuring that individuals data when taken is protected, but there is generally confusion over what is required regarding cookies.
What is a cookie?
A cookie is a small file of letters and numbers that are stored on your browser or the hard drive of your computer when you enter a website. Cookies contain information that is transferred to your computer’s hard drive and will be kept for a specific amount of time (from simple in session use to indefinitely). Cookies are used by website providers for a number of reasons from ensuring that the items added to your basket remain there to tracking what sort of products you like to buy to send you targeted advertising (like when facebook pops up a picture of that top you wanted to buy from that store some couple of days later when you didn’t get round to buying it…).
Some cookies can constitute personal data (such as tracking cookies) and therefore website operators need to ensure that they comply with the data protection regulations as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Do I need to comply with these rules?
The Information Commissioners Office have enforcement powers in relation to failure to comply with cookie requirements and have a reporting facility on their webpage. Between April and December last year there were a total of 949 complaints made about cookies to the ICO. Whilst it is likely low down in their list compared to large companies data breaches the ICO has continued to expand over the last three years almost doubling in size meaning their capacity to deal with complaints increases. The E-Privacy Regulation (“the Regulations”) has been in the pipe line to be introduced for a significant amount of time which seeks to shake up the rules on the requirements surrounding cookies. Because this was due to be introduced a year ago many companies had decided to wait for the changes before implementing Cookie Policies. As some estimate that the new Regulations will not be in force until 2021 it would not be practicable to wait around until that comes into force to ensure compliance.
What do I need to do as a website operator?
The basic rules around what you need to tell your website users is as follows:-
- explain what the specific cookies are; and
- get the person’s consent to store a cookie on their device.
How do I do this?
Are there any exceptions?
Yes, there are exemptions, specifically the Information Commissioner Office has stated that you need not comply with the above if:
“the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user.“
Cookies are unlikely therefore to be required for:-
- load-balancing cookies (ie cookies that solely work to improve the usability of the website)
- session cookies (ie cookies solely used for the session in which the end user is on the website)
- cookies used to remember the goods a user wishes to buy
For further information, please contact Jo O’Donovan, a Solicitor in the Commercial & Employment department, on 01626 202347 or joO’Donovan@wbw.co.uk. WBW Solicitors has offices in Newton Abbot, Exeter, Torquay, Paignton, Bovey Tracey, Launceston, Honiton, Exmouth and Sidmouth.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.