Cookie laws
This guide is based on UK law. It was last updated in
May 2009.
Please note: cookie laws may be changing.
See our editorial: Please kill
this cookie monster to save Europe's
websites, OUT-LAW News, 18/05/2009.
On 11th December 2003, new
laws came into force in the UK that affect most web sites. If
cookies are used in a site, the Privacy and Electronic
Communications (EC Directive) Regulations 2003 provide that certain
information must be given to that site's visitors.
The Regulations implemented
into UK law the provisions of a European Directive that came into
force on 31st July 2002. The Directive should have been implemented
into the laws of all EU Member States by 31st October 2003, but
most countries, like the UK, failed to meet this deadline.
Below you will find details
on the UK Regulations and some additional information on the
European Directive itself. Because each Member State has some
discretion in how it implements a Directive, the cookie laws in
other European countries may differ from those of the UK.
UK Regulations
The actual wording of the
Regulations
The relevant rules are found
in Regulation 6, which reads as follows:
6. - (1) Subject to
paragraph (4), a person shall not use an electronic communications
network to store information, or to gain access to information
stored, in the terminal equipment of a subscriber or user unless
the requirements of paragraph (2) are met.
(2) The requirements are
that the subscriber or user of that terminal equipment -
(a) is provided with clear
and comprehensive information about the purposes of the storage of,
or access to, that information; and
(b) is given the opportunity
to refuse the storage of or access to that information.
(3) Where an electronic
communications network is used by the same person to store or
access information in the terminal equipment of a subscriber or
user on more than one occasion, it is sufficient for the purposes
of this regulation that the requirements of paragraph (2) are met
in respect of the initial use.
(4) Paragraph (1) shall not
apply to the technical storage of, or access to, information -
(a) for the sole purpose of
carrying out or facilitating the transmission of a communication
over an electronic communications network; or
(b) where such storage or
access is strictly necessary for the provision of an information
society service requested by the subscriber or user.
What does this mean?
The Regulations mean that a
web operator (or any on-line service provider using cookies for
their own purposes) must not store information or gain access to
information stored in the terminal equipment of a user unless the
user "is provided with clear and comprehensive information about
the purposes of the storage of, or access to, that information" and
"is given the opportunity to refuse the storage of or access to
that information."
The Information Commissioner has published
guidance (see pages 4-7 of the 19-page PDF) that gives his
interpretation of the time when the opportunity to refuse needs to
be given.
Fortunately for operators of web sites, the Commissioner takes a
pragmatic view. The Commissioner writes: "At the very least,
however, the user or subscriber should be given a clear choice as
to whether or not they wish to allow a service provider to
continue to store information on the terminal in
question." (Emphasis from original document.)
He continues:
"Where the relevant information is to be
provided in a privacy policy, for example, the policy should be
clearly signposted at least on those pages where a user may enter a
website. The relevant information should appear in the policy in a
way that is suitably prominent and accessible and it should be
worded so that all users and subscribers are able to easily
understand and act upon it."
So, while it may be best practice in complying with the literal
meaning of the Regulations to offer an opportunity to refuse
cookies before sending them to a user's computer, the Commissioner
perhaps acknowledges that this is not necessarily best practice in
creating a user-friendly web site.
Ideally, the opportunity to
refuse storage or access to the information should always be
available and the means of doing so should be explained in an
uncomplicated way. One risk-averse approach would be to require
users to "opt-in" to receiving a cookie as opposed to providing
them with an opportunity to "opt-out".
Therefore, it seems to be
acceptable practice to use cookies without prior consent, provided
the use of cookies, and how to control or disable
them, is fully explained in a cookie policy or privacy policy
which is accessible from every page of a site. However, in
his
Good Practice Note – Collecting personal information using
Websites he states that "if you choose to let people know
through the privacy statement, it is important to have some
reference to the use of tracking technology clearly displayed to
all visitors" suggesting that some form of flag or signpost is
required up front although he does not expand on this.
Penalty for non-compliance
The Regulations carry a
maximum fine of £5,000 for failure to comply.
The Data Protection Act can also
apply
Where the use of a cookie by
a service provider also involves personal data (broadly information
relating to individuals) an additional set of rules must be adhered
to. The UK's Data Protection Act of 1998 derives from the EU Data
Protection Directive and does not contain specific provisions
relating to cookies. However, it does require that where personal
information is collected then data subjects (which will include
internet users) should be told of this collection or information
about it should be made available to them.
Even where it is possible to
anonymise information, the information may still be classed as
personal data under the Act if it can be traced back or put
together with other information to identify the individual.
Therefore the requirements
of the Act are that the owner of a web site using cookies (the data
controller) must make its identity clear, the purposes for it
having the information and anything else necessary in the
circumstances to make the processing fair. This information must
also be provided when personal data are collected from third
parties. In addition, personal data must not be used to the extent
that the use would be considered excessive. For further information
on the requirements of the Data Protection Act 1998 see our
data protection
section.
European Directive
Background
As mentioned above, the
European Union Directive on Privacy and Electronic Communications
came into force on 31st July 2002 and should have been implemented
into the laws of Member States by 31st October 2003; but most
countries failed to meet this deadline.
The recitals to the
Directive suggest that the use of devices that can enter an
internet user's terminal equipment and access, store or trace
information without their knowledge may be a serious intrusion to a
user's privacy. Such devices include so called spyware, webbugs and
hidden identifiers and should only be allowed for legitimate
purposes and with the user's knowledge.
The Directive recognises,
however, that cookies and similar devices can be a "legitimate and
useful tool" for example in analysing the effectiveness of website
design and advertising and verifying the identity of users as long
as they are intended for a legitimate purpose and users are
provided with "clear and precise information" about their purposes.
It suggests that users should have the opportunity to refuse to
have a cookie or similar device stored on their terminal equipment.
This is said to be particularly important where users other than
the original user have access to the terminal equipment, because
they could have access to data containing privacy-sensitive
information.
The Directive also suggests
that the methods for giving information and either offering a right
to refuse a cookie or requesting consent should be made as user
friendly as possible but that this can be done once for use during
a particular connection but also covering any further use that may
be made of such devices during subsequent connections.
It states that access to
specific website content may still be made conditional on the
well-informed acceptance of a cookie, if used for a legitimate
purpose. There is therefore nothing to stop you only allowing
access to parts of a site if this has been made clear to users and
you have a legitimate reason to do so.
Specific provisions of the
Directive
Article 5 of the Directive
provides that Member States must ensure that "the use of electronic
communications networks to store information or to gain access to
information stored in the terminal equipment of a subscriber or
user is only allowed on condition that the subscriber or user
concerned is provided with clear and comprehensive information in
accordance with [the Data Protection Directive] about the purposes
of the processing, and is offered the right to refuse such
processing by the data controller..."
There is no obligation
however where technical storage or access is necessary to
facilitate the transmission of a communication (however, there must
be an absolute need to use a cookie device in order for this
exemption to apply) or where there is a need to provide an
information society service explicitly requested by the user,
for example an online shopping basket.
Summary
Therefore there is a
requirement under the Directive and the UK Regulations to;
- tell users about cookies
and what you are going to use their information for; and
- offer a right to refuse
storage of or access to that information
The Data Protection Act also
requires users to be provided with certain information. A simple
way to provide internet users with information is to provide them
with a privacy policy, a data protection notice, or both. The
privacy policy or notice if used properly can meet the information
provision requirements of both the Directive and the Act (although
note the Information Commissioner's view about referring someone
clearly to tracking technology if only using a privacy statement).
For further information on implementing a privacy policy or data
protection notice online see the OUT-LAW.COM guide on Data Protection and
http://www.aboutcookies.org/.
Providing users with a right
to refuse a cookie may be technically more difficult as there are a
number of internet browsers and different versions of each browser
which all act in different ways. This is one of the reasons that we
have set up this site. We suggest that by making it clear in a
privacy policy or notice that a user does not have to have a cookie
and by linking them to this site which provides details for various
browsers of how to stop cookies being stored or how to delete them
if they have already been stored, the requirements of the Directive
will be met.
Please note: cookie laws may be changing. See
our editorial: Please kill
this cookie monster to save Europe's
websites, OUT-LAW News, 18/05/2009.
Contacts
Useful links
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer