Cookie Law

Cartoon Cookie wearing a judge's wig
Quick links for this page: UK Regulations, European Directive, Summary & Links

On 11th December 2003, new laws came into force in the UK that affect most web sites. If cookies are used in a site, the Privacy and Electronic Communications (EC Directive) Regulations 2003 provide that certain information must be given to that site's visitors.

The Regulations implemented into UK law the provisions of a European Directive that came into force on 31st July 2002. The Directive should have been implemented into the laws of all EU Member States by 31st October 2003, but most countries, like the UK, failed to meet this deadline.

Below you will find details on the UK Regulations and some additional information on the European Directive itself. Because each Member State has some discretion in how it implements a Directive, the cookie laws in other European countries may differ from those of the UK.

UK Regulations

The actual wording of the Regulations

The relevant rules are found in section 6, which reads as follows:

6. - (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Return to top

What does this mean?

The Regulations mean that a web operator must not store information or gain access to information stored in the terminal equipment of a user unless the user "is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information" and "is given the opportunity to refuse the storage of or access to that information."

The Information Commissioner has published guidance (see pages 4-7 of the report in PDF format) that gives his interpretation of the time when the opportunity to refuse needs to be given.

Fortunately for operators of web sites, the Commissioner takes a pragmatic view. The Commissioner writes: "at the very least, however, the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to engage in the continued storage of information".

He continues: "Where the relevant information is to be provided in a privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website."

So, while it may be best practice in complying with the literal meaning of the Regulations to offer an opportunity to refuse cookies before sending them to a user's computer, the Commissioner perhaps acknowledges that this is not necessarily best practice in creating a user-friendly web site.

Therefore, it seems to be acceptable practice to use cookies without prior consent, provided the use of cookies is fully explained in a cookie policy or privacy policy which is accessible from every page of a site.

Penalty for non-compliance

The Regulations carry a maximum fine of £5,000 for failure to comply.

Return to top

The Data Protection Act Can Also Apply

The UK's Data Protection Act of 1998 derives from the EU Data Protection Directive and does not contain specific provisions relating to cookies. However, it does require that where personal information is collected then data subjects (which will include internet users) should be told of this collection or information about it should be made available to them.

Even where it is possible to anonymise information, the information may still be classed as personal data under the Act if it can be traced back or put together with other information to identify the individual.

Therefore the requirements of the Act are that the owner of a web site using cookies (the data controller) must make its identity clear, the purposes for it having the information and anything else necessary in the circumstances to make the processing fair. This information must also be provided when personal data are collected from third parties.

For further information on data protection refer to our sister site http://www.out-law.com/.

Return to top

European Directive

Background

As mentioned above, the European Union Directive on Privacy and Electronic Communications came into force on 31st July 2002 and should have been implemented into the laws of Member States by 31st October 2003; but most countries failed to meet this deadline.

The recitals to the Directive suggest that the use of devices that can enter an internet user's terminal and access, store or trace information without their knowledge may be a serious intrusion to a user's privacy. Such devices include so called spyware, webbugs and hidden identifiers and should only be allowed for legitimate purposes and with the user's knowledge.

The Directive recognises, however, that cookies and similar devices can be a "legitimate and useful tool" for example in analysing the effectiveness of website design and advertising and verifying the identity of users as long as they are intended for a legitimate purpose and users are provided with "clear and precise information" about their purposes. It suggests that users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is said to be particularly important where users other than the original user have access to the terminal equipment, because they could have access to data containing privacy-sensitive information.

The Directive also suggests that the methods for giving information and either offering a right to refuse a cookie or requesting consent should be made as user friendly as possible but that this can be done once for use during a particular connection but also covering any further use that may be made of such devices during subsequent connections.

It states that access to specific website content may still be made conditional on the well-informed acceptance of a cookie, if used for a legitimate purpose. There is therefore nothing to stop you only allowing access to parts of a site if this has been made clear to users and you have a legitimate reason to do so.

Return to top

Specific Provisions Of The Directive

Article 5 of the Directive provides that Member States must ensure that “the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with [the Data Protection Directive] about the purposes of the processing, and is offered the right to refuse such processing by the data controller...”

There is no obligation however where technical storage or access is necessary to facilitate the transmission of a communication or where there is a need to provide an information service explicitly requested by the user, for example an online shopping basket.

Return to top

Summary

Therefore there is a requirement under the Directive and the UK Regulations to

  • tell users about cookies and what you are going to use their information for; and
  • offer a right to refuse.

The Data Protection Act also requires users to be provided with certain information. A simple way to provide internet users with information is to provide them with a privacy policy, a data protection notice, or both. The privacy policy or notice if used properly can meet the information provision requirements of both the Directive and the Act. For further information on implementing a privacy policy or data protection notice online see the OUT-LAW.COM guide on Data Protection.

Providing users with a right to refuse a cookie may be technically more difficult as there are a number of internet browsers and different versions of each browser which all act in different ways. This is one of the reasons that we have set up this site. We suggest that by making it clear in a privacy policy or notice that a user does not have to have a cookie and by linking them to this site which provides details for various browsers of how to stop cookies being stored or how to delete them if they have already been stored, the requirements of the Directive will be met.

Return to top

Useful Links

The Privacy and Electronic Communications (EC Directive) Regulations 2003

Information Commissioner's Guidance (18-page PDF)

EU Directive on Privacy and Electronic Communications 2002 (11-page PDF)

Data Protection Act 1998

 
©2003 - 2006 Pinsent Masons