Crunch time for cookie-users

The snappily-named Privacy and Electronic Communications Directive became law in England last May, but to the relief of most businesses, the Information Commissioner’s Office allowed a 12 month period of grace to allow website owners time to comply.

That period of grace expires on 25th May 2012 and businesses are being warned that there will be fierce penalties for non-compliance now that the new rules are in force.

The so-called ‘cookie law’ requires every website owner to obtain consent before installing cookies on the computer of a visitor to their site. In addition, websites using cookies must set out a clear description of how cookies are used on the site and, if cookies are used to obtain personal information on a customer, the website must publish a privacy policy.

Said Mario Savvides, a solicitor in our Commercial Law department: “Any business that has not yet taken action to comply must do so urgently. The 12-month period of grace means that the penalties for businesses that do not comply will be all the harsher. The Information Commissioner warned last year that ‘those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.’”

So what is a cookie?

It is a file that enables a website to store data relating to users. For example, a cookie will enable the website of an on-line store to record what is in your basket, or to know what scene you have reached if you are watching a television drama on-line.

Cookies do not act as viruses because they cannot perform functions, they can only read. However they can act as a sort of spy in your computer because they can record your browsing patterns and personal information without your knowledge. For this reason anti-virus and security software will normally flag them for deletion.

Who needs to act?

The owner of any website that operates within the EU must now ensure compliance with the rules. This includes any website that has a secure area where users log in, or one that has a shopping basket facility or runs advertisements from third parties.

Even if your website does none of these things it might be using cookies if it has software such as Google Analytics that collects statistical information about the use of the website or the number of viewings of particular pages on the site.

Mario added: “Many smaller businesses have assumed it won’t apply to them if they don’t trade online or have complex websites, but most of them will be running site analytics.

“The message to those who are not yet compliant is that it is not too late to act but you must act fast. At the very least small businesses need to put a ‘consent to cookies’ clause in their terms and conditions and have a click to accept box for these terms if they do not have one already. Then pages must be added to the website to contain a description of how cookies are used and, if personal data is collected, to set out a privacy policy.”

For more information contact Mario on 0208 8858 6971 or ms@gransaw.co.uk

This is not legal advice; it is intended to provide information of general interest about current legal issues.