UK Home >  Legal Info About... >  Data Protection >  Cookie law

Cookie laws

This guide is based on UK law. It was last updated in May 2009.

Please note: cookie laws may be changing. See our editorial: Please kill this cookie monster to save Europe's websites, OUT-LAW News, 18/05/2009.

On 11th December 2003, new laws came into force in the UK that affect most web sites. If cookies are used in a site, the Privacy and Electronic Communications (EC Directive) Regulations 2003 provide that certain information must be given to that site's visitors.

The Regulations implemented into UK law the provisions of a European Directive that came into force on 31st July 2002. The Directive should have been implemented into the laws of all EU Member States by 31st October 2003, but most countries, like the UK, failed to meet this deadline.

Below you will find details on the UK Regulations and some additional information on the European Directive itself. Because each Member State has some discretion in how it implements a Directive, the cookie laws in other European countries may differ from those of the UK.

UK Regulations

The actual wording of the Regulations

The relevant rules are found in Regulation 6, which reads as follows:

6. - (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

What does this mean?

The Regulations mean that a web operator (or any on-line service provider using cookies for their own purposes) must not store information or gain access to information stored in the terminal equipment of a user unless the user "is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information" and "is given the opportunity to refuse the storage of or access to that information."

The Information Commissioner has published guidance (see pages 4-7 of the 19-page PDF) that gives his interpretation of the time when the opportunity to refuse needs to be given.

Fortunately for operators of web sites, the Commissioner takes a pragmatic view. The Commissioner writes: "At the very least, however, the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to continue to store information on the terminal in question." (Emphasis from original document.)

He continues:

"Where the relevant information is to be provided in a privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website. The relevant information should appear in the policy in a way that is suitably prominent and accessible and it should be worded so that all users and subscribers are able to easily understand and act upon it."

So, while it may be best practice in complying with the literal meaning of the Regulations to offer an opportunity to refuse cookies before sending them to a user's computer, the Commissioner perhaps acknowledges that this is not necessarily best practice in creating a user-friendly web site.

Ideally, the opportunity to refuse storage or access to the information should always be available and the means of doing so should be explained in an uncomplicated way. One risk-averse approach would be to require users to "opt-in" to receiving a cookie as opposed to providing them with an opportunity to "opt-out".

Therefore, it seems to be acceptable practice to use cookies without prior consent, provided the use of cookies, and how to control or disable them, is fully explained in a cookie policy or privacy policy which is accessible from every page of a site.  However, in his Good Practice Note – Collecting personal information using Websites he states that "if you choose to let people know through the privacy statement, it is important to have some reference to the use of tracking technology clearly displayed to all visitors" suggesting that some form of flag or signpost is required up front although he does not expand on this.

Penalty for non-compliance

The Regulations carry a maximum fine of £5,000 for failure to comply.

The Data Protection Act can also apply

Where the use of a cookie by a service provider also involves personal data (broadly information relating to individuals) an additional set of rules must be adhered to. The UK's Data Protection Act of 1998 derives from the EU Data Protection Directive and does not contain specific provisions relating to cookies. However, it does require that where personal information is collected then data subjects (which will include internet users) should be told of this collection or information about it should be made available to them.

Even where it is possible to anonymise information, the information may still be classed as personal data under the Act if it can be traced back or put together with other information to identify the individual.

Therefore the requirements of the Act are that the owner of a web site using cookies (the data controller) must make its identity clear, the purposes for it having the information and anything else necessary in the circumstances to make the processing fair. This information must also be provided when personal data are collected from third parties. In addition, personal data must not be used to the extent that the use would be considered excessive. For further information on the requirements of the Data Protection Act 1998 see our data protection section.

European Directive

Background

As mentioned above, the European Union Directive on Privacy and Electronic Communications came into force on 31st July 2002 and should have been implemented into the laws of Member States by 31st October 2003; but most countries failed to meet this deadline.

The recitals to the Directive suggest that the use of devices that can enter an internet user's terminal equipment and access, store or trace information without their knowledge may be a serious intrusion to a user's privacy. Such devices include so called spyware, webbugs and hidden identifiers and should only be allowed for legitimate purposes and with the user's knowledge.

The Directive recognises, however, that cookies and similar devices can be a "legitimate and useful tool" for example in analysing the effectiveness of website design and advertising and verifying the identity of users as long as they are intended for a legitimate purpose and users are provided with "clear and precise information" about their purposes. It suggests that users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is said to be particularly important where users other than the original user have access to the terminal equipment, because they could have access to data containing privacy-sensitive information.

The Directive also suggests that the methods for giving information and either offering a right to refuse a cookie or requesting consent should be made as user friendly as possible but that this can be done once for use during a particular connection but also covering any further use that may be made of such devices during subsequent connections.

It states that access to specific website content may still be made conditional on the well-informed acceptance of a cookie, if used for a legitimate purpose. There is therefore nothing to stop you only allowing access to parts of a site if this has been made clear to users and you have a legitimate reason to do so.

Specific provisions of the Directive

Article 5 of the Directive provides that Member States must ensure that "the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with [the Data Protection Directive] about the purposes of the processing, and is offered the right to refuse such processing by the data controller..."

There is no obligation however where technical storage or access is necessary to facilitate the transmission of a communication (however, there must be an absolute need to use a cookie device in order for this exemption to apply) or where there is a need to provide an information society service explicitly requested by the user, for example an online shopping basket.

Summary

Therefore there is a requirement under the Directive and the UK Regulations to;

  • tell users about cookies and what you are going to use their information for; and
  • offer a right to refuse storage of or access to that information

The Data Protection Act also requires users to be provided with certain information. A simple way to provide internet users with information is to provide them with a privacy policy, a data protection notice, or both. The privacy policy or notice if used properly can meet the information provision requirements of both the Directive and the Act (although note the Information Commissioner's view about referring someone clearly to tracking technology if only using a privacy statement). For further information on implementing a privacy policy or data protection notice online see the OUT-LAW.COM guide on Data Protection and http://www.aboutcookies.org/.

Providing users with a right to refuse a cookie may be technically more difficult as there are a number of internet browsers and different versions of each browser which all act in different ways. This is one of the reasons that we have set up this site. We suggest that by making it clear in a privacy policy or notice that a user does not have to have a cookie and by linking them to this site which provides details for various browsers of how to stop cookies being stored or how to delete them if they have already been stored, the requirements of the Directive will be met.

Please note: cookie laws may be changing. See our editorial: Please kill this cookie monster to save Europe's websites, OUT-LAW News, 18/05/2009.

Contacts

Rosemary Jay

Rosemary Jay
Biography
email Rosemary
+44 (0) 161 234 8374

Louise Townsend

Louise Townsend
Biography
email Louise
+44 (0) 161 234 8359

Useful links

Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please contact us. See also: our full disclaimer

OUT-LAW Recommends

This week's podcast
Bribery law extended

Advert: Pinsent Masons works with forensic accountants to help you to manage the costs of litigation. Our approach is called Reaching Solutions.
OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility Logon
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.