The new cookie regime – what you need to know

Barry Riley

Moving towards compliance

As part of an ongoing consultation process which started nearly a year ago, the ICO acknowledges that the introduction of the new legal framework on cookies presents businesses that use cookies throughout their website with considerable technical, legal and organisational challenges. In particular, many online service providers, retailers and advertising networks have come to rely on cookies for carrying out essential (and even non-essential) website functions. It was always expected that the transition to data protection-compliant systems was going to require a transition period of several months, during which the technical and compliance teams of online providers, in conjunction with browser operators, could develop technical as well as administrative solutions.

With the new rules due to come in force by the end of May 2012 this is becoming an area of growing concern for businesses who use cookies on their websites, as they rush to gain compliance as quickly as possible.

What are cookies?

cookie, also known as an HTTP cookieweb cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browser. Cookies were designed to be a reliable mechanism for websites to remember things that a browser had done there in the past, which can include having clicked particular buttons, logging in, or having read pages on that site months or even years ago.

Although cookies cannot carry viruses, and cannot install viruses on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as a way to compile long-term records of individuals’ browsing histories — a major privacy concern, not only in the UK, but worldwide.

Other kinds of cookies perform essential functions in the modern Web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under. Without such a mechanism, the site would not know whether to send a page full of sensitive information, or a message saying “sorry, you need to log in”. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser. If not implemented correctly, a cookie’s data can be intercepted by a hacker to gain unapproved access to the user’s data and possibly to the originating website.


To facilitate this move towards compliance, the ICO confirmed last year that it was allow a lead-in period of 12 months for organisations to develop ways of meeting the cookie-related requirements of the revised Regulations. At the end of May 2012 , the ICO will move towards the approach set out in its general Data Protection Regulatory Action Policy and it will then consider using its enforcement powers to compel compliance in appropriate cases.

What do I need to know?

The use of cookies is only allowed if the user concerned:

  • Has been provided with clear and comprehensive information about the purposes for  which the cookie is stored and accessed; and
  • Has given his or her consent.

Cookie audit

The available guidance reiterates the ICO’s initial recommendation that website owners should carry out a cookie audit to do a number of things, including:

  • Identify the cookies operating on or through their website and confirm their purposes;
  • Confirm how privacy-intrusive each cookie used is likely to be (for example, because it links to personal information the website owner holds about an individual or because it allows the website owner to build up a detailed profile of an individual’s online behaviour);
  • Confirm the type of cookies used, distinguishing, in particular between session and persistent cookies and first party and third party cookies; and
  • Confirm that the website provides accurate and clear information about each cookie.

Meaning of consent

The guidance includes considerably more detailed information on the meaning of consent, and the limited exceptions that apply to the consent requirement. In particular, it explains which types of cookies can be considered “strictly necessary” and which may therefore be set without restrictions.

Among other things, the ICO’s updated guidance explains that:

  • Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking on an icon, sending an e-mail or subscribing to a service;
  • As a general rule, consent should be obtained before the cookie is set. However, the guidance does acknowledge that this may often be difficult in practice. It therefore encourages website owners to do as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options.
  • Any reliance on “implied consent” must be based on the shared understanding between the website owner and the user of what is going to happen when the user visits the website.

It is important, and with the new developments, essential, to ensure compliance with the new regime, particularly where your business website is an integral tool to your day to day operations.

If you need further guidance as to what you can practically do to ensure your compliance with the new regime, feel free to contact me for assistance:

Barry Riley

Tel – 0117 9453 042


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s