How to comply with the law

Help for your site

Cartoon Compliance Cookie reading book about law

If your organisation is based in the UK, your web site should meet the new cookie laws. About Cookies was launched by international law firm Pinsent Masons to help organisations to comply with this law.

You are legally required to tell your visitors about your use of cookies or other tracking technologies, and how they can delete or control them.

The obvious place for this information may be as part of your privacy policy. But these policies have to be short to be user friendly - and adding a few pages on how to delete or control cookies would make them unwieldy. It is also unrealistic to expect you to update your privacy policy every time Microsoft releases a new version of its browser

So we created About Cookies to relieve this burden from UK organisations. By providing a link from your site's privacy policy to AboutCookies.org, your users can find much of what they need to know about cookies for the most popular browsers - including various versions of Microsoft's Internet Explorer, Netscape Navigator and Opera.

Return to top

How About Cookies can help your site

We recommend that your web site has a privacy policy that is accessible via a link on every page. In addition you should display a data protection notice - also called a fair processing notice - before any user of your site enters his or her personal data. See below for more information on data protection notices.

With that in mind, the following wording may be appropriate for your privacy policy:

We may also store information about you using cookies (files which are sent by us to your computer or other access device) which we can access when you visit our site in future. We do this to [describe why cookies are used].

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. Our cookies will have the file names [insert file names, e.g. cookie1.txt and cookie2.txt].

Information on deleting or controlling cookies is available at www.AboutCookies.org. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.

Your exact wording will clearly depend on your use of cookies. It may be that you use cookies to track the contents of a shopping cart from a user's initial selection of a product to the checkout, for example. If so, describe this within the above wording. Also bear in mind that there will be many other issues to address in your privacy policy which we do not explain at this site.

Return to top

More information on data protection notices

A data protection notice is legally required on UK web sites that collect personal data, unless the purpose of the collection is obvious. It should be displayed or made readily available before the data is entered - even if the data is nothing more than a visitor's e-mail address.

The data protection notice should make visitors aware of the following:

  • the identity of the person or organisation responsible for operating the web site (data controller) and of anyone else who collects personal data through the site;
  • the purposes for which they intend to process the personal data;
  • any other information needed to ensure fairness to individuals, taking into account the specific circumstances of the processing. This will include informing individuals of any disclosure of information about them to third parties, including disclosure to companies within the same group.

Some form of notice must be incorporated as a compulsory part of the user's browsing experience if he or she is about to enter personal data.

However, we recommend that you also have a link from every page to a privacy policy, because it's something that your visitors will expect. The privacy policy and data protection notice can be the same wording; but usually you will want a different approach for each: a short, punchy data protection notice - to minimise the disruption of a user's experience - and a longer privacy policy, to provide maximum reassurance where the user can find it easily.

Also, remember that there may be more than one data controller involved in the collection of personal data on a web site, particularly where banner advertising is placed by a third party, or where a third party provides a secure payment mechanism. In such cases all data controllers should be identified.

Return to top

Pinsent Masons, the law firm behind OUT-LAW.COM and AboutCookies.org, has one of the UK's leading privacy and data protection law teams. Our specialists would be happy to help your organisation with data protection in your organisation. We also provide a range of data protection training services.

Alternatively, you may be interested in our OUT-LAW Compliance service. This service provides a legal review of your site, testing it against not only data protection laws but also the UK's e-business laws and our own best practice policies. The price is £1,000 plus VAT for most sites. Some sites may be more expensive, but a free quote will always be provided in advance, based on an initial examination of the site. See more details on OUT-LAW Compliance.

 

© Pinsent Masons LLP

© Pinsent Masons LLP