Law firm Gordons warns businesses are running out of time to obtain cookie consent and avoid risking fines of up to £500,000
Amendments to the Privacy and Electronic Communications Regulations require companies to gain consent before placing these tracking programs on users’ computers. The Information Commissioner’s Office (ICO), which deals with breaches of data protection law, will begin enforcing the new rules on May 26.
Mark Jones, a solicitor in Gordons commercial litigation department, said: “Cookies are small text files, planted onto users’ computer hard drives when they visit websites. Their main purposes include tracking what users do while browsing the internet and remembering them when they next visit websites, so there’s no need to track personal details.
“Their functions also include remembering what users have put in their shopping baskets, so they can buy goods when they’ve finished browsing.
“There are four main types of cookie: first party, placed on a users’ computer hard drives by websites they visit; third party, placed by parties other than websites being visited; session, which expire at the end of browsing sessions; and persistent, which stay on hard drives between browsing sessions.”
Under the new regulations, parties such as website owners, operators and advertisers need to ensure users consent to these cookies. That means giving clear and comprehensive information about the purposes for which they are used, stored and accessed, and asking users to agree to them.
This consent must be specific, informed and freely given. The agreement must also take into account who users are, so those responsible need to consider factors such as their age and capacity to concur.
The two cookie types to which the rules do not apply are those planted for the sole purpose of transmitting communications and strictly necessary for providing information society services users have requested. Cookies placed on user computers by websites they visit purely so they can remember what they want to buy are therefore exempt.
Mark said: “The practical steps businesses need to have taken between now and May 26 therefore begin with auditing their websites, to see what cookies are being deployed and categorising those required, according to whether they are first or third party, session or persistent. Companies should then determine the real function of each cookie, bearing in mind that if they’re likely to hold details of users – such as names, email addresses and browsing habits – consent is probably going to be needed.
“Businesses should then prepare tables or schedules showing cookie types, names, purposes and additional information about them. They should also have explanations on websites of what cookies are and why making users aware matters.
“Companies should then bring cookie explanations and tables to users’ attention, through pop-up windows, banners or in terms and conditions, if these have to be considered and accepted before they can proceed.”
Mark warned that although any penalties imposed on companies found to be in breach of the regulations would be specific to the facts of their cases, the ICO had the power to impose fines of up to £500,000 and may well use the first corporate scalp as a very public example to others.