Banner

Online businesses need to understand new laws on cookies

Small firms with an online presence are being urged to review their use of website cookies in the light of new EU laws.

Large numbers of websites use cookies - small files - to help visitors navigate the various pages. Cookies carry out such jobs as remembering log-in details and payment details, and analysing the browsing patterns of users.

They work by storing a piece of code on to a website visitor's computer which allows the website to recall and identify that visitor the next time they click on.

However, recent changes to the EU Privacy and Electronic Communications Regulations mean that websites must first obtain the visitor's permission before installing a cookie on their computer. Before May this year, visitors were required to opt out of receiving cookies.

Businesses that breach the law could be fined as much as £500,000.

But the Information Commissioners' Office, (ICO) which is the body charged with regulating online rules, has said that there is a degree of leeway allowed by the new legislation.

Should the ICO receive a complaint about non-consent cookie use on a UK website, it will give the owners of the site up to 12 months in which to make the necessary amendments.

The regulatory body has laid out a simple plan to help businesses decide if their websites are likely to infringe the new rules.

They should check what type of cookies they use. They should judge how intrusive the cookies are. And they should decide how to best obtain consent from users.

This last could involve a pop-up message that provides an opt-in option when someone visits, or allowing visitors to make various choices about the way in which they navigate a site.

Christopher Graham, the Information Commissioner, commented: "I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users' browsing experience if they needed to negotiate endless pop ups - and I am not saying that businesses have to go down that road.

"Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That's why I'm taking a common sense approach that takes both views into account. 

"Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren't there yet. In the meantime, although there isn't a formal transitional period in the Regulations, the government has said they don't expect the ICO to enforce this new rule straight away. So we're giving businesses and organisations up to one year to get their house in order.

"This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules."

One business group, the Forum of Private Business (FPB), believes that firms should look at how their websites function sooner rather than later.

Phil Orford, the FPB's chief executive, said: "Previously, the rules surrounding the use of cookies meant that you were obliged to explain somewhere on your website how you used them and how visitors could stop your site from doing so, but that was it.

"Now, you won't be able to put cookies on people's computers without them consciously giving their consent for you to do so, even if it means your website might not work properly as a result. A business with a simple, non-interactive, two or three-page site shouldn't be affected but if your website has a shopping basket function, remembers when a user has logged in, carries third party advertising or uses an analytics package, it is likely that it uses cookies to do so.

"Thankfully, the ICO has said it will give businesses up to a year to 'get their house in order' if it receives a complaint about them. But with the possibility of a £500,000 fine for those deemed to be flouting the law, it is advisable for any business owners who think they may be affected to assess their use of cookies now and make any changes necessary."

More details on the rule changes can be found at: http://www.ico.gov.uk/%7E/media/documents/library/Privacy_and_electronic/Practical_application/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf