• Contact
  • Accountants: +44 (0) 1753 551111
  • Solicitors: +44 (0) 20 7067 4300

Date of publication: November 2016

Businesses use cookies on their websites for various purposes. This Guide sets out some of the legal issues surrounding usage of cookies and the legal requirements for websites that are accessible in the UK.

What are cookies?

Cookies are small files which track user access of websites in order to collect information about individuals and their online behaviour. They are implanted on the user’s hard drive, often without the user’s knowledge, in order to collect information about each visit to the website. Certain information such as setting preferences and login details is then retained for subsequent visits.

Cookies are most frequently used to:

  • optimise the efficiency of a website;
  • collect details about visitors to a website;
  • track movements around a website; and
  • analyse visitor trends

Cookies can be used to collect a variety of information and will have differing lifespans. Some cookies will be automatically deleted as soon as a session ends, whereas others will remain on the users device for subsequent visits to the website. The lifespan will generally reflect the type of information being collected and the intended use of the particular cookie.

What are the EU/UK requirements on cookies?

In the European Union (“EU”), data protection laws apply whenever a business collects ‘personal data’ from individuals that are based within the EU.

Personal data means any information which relates to a living individual who can be identified from that data, whether on its own or in conjunction with other obtainable information.  This includes basic details such as names, addresses, photos and IP addresses. (For more information about data protection please see our related Wuick Guides and booklet on this subject).

If cookies are only being used in a way that does not collect personal data (e.g. where they are solely for navigation purposes), then data protection laws should not apply. Where cookies are used which do collect personal data(e.g. to remember login data) then the website host must meet certain requirements, as set out below:

Consent: Under UK law, a business must obtain the consent of an individual before collecting and processing their personal data. Therefore, if a website collects personal information through its cookies, the website owner/host will need to obtain consent prior to processing. This consent can be implied or explicit as follows:

Implied Consent can only be relied upon where the website owner/host is able to show that the user has taken a specific action to consent to the use of cookies. The UK’s Information Commissioner’s Office (“ICO”) states that implied consent can be demonstrated by a user moving to the next page of a website where the front page of the website clearly and predominantly states that cookies are used.

In order to rely on implied consent, information about cookies must be clearly displayed, usually via a roll-down notice with a link to a more detailed Privacy Policy and/or Cookie Policy (please see below for more information on this).A hidden Privacy Policy would not suffice.

Explicit Consent involves the user knowingly indicating their consent(e.g. checking a box).
In practice, explicit consent is the safest means of ensuring compliance with the EU data protection requirements. Whether this is needed will depend upon the nature of the business and any regulatory concerns surrounding this.

Providing Information: Website owners/hosts are required to provide clear and comprehensive information about the cookies used on a website. This should include information about any third parties which host cookies on their websites; any transfers to third parties; and the owner/host’s use of the data collected by the website.

The easiest way to provide this information is through a Cookie Policy linked to the website’s Privacy Policy.

When do EU laws apply?

Each of the EU member states has its own data protection laws, however these are all governed by the same set of overarching principles. The laws of a particular member state will apply in the following circumstances:

  • The website owner is ‘established’(please see below) within that member state and the owner collects and processes personal data within the context of that establishment; or
  • The website owner is not established within a member state, but is established in a place where international public law dictates that the laws of that member state apply (this generally only applies to government agencies and embassies so is unlikely to be applicable to most businesses); or
  • The website owner is not established within that member state but uses ‘equipment’(please see below) situated in a member state.

A business is considered to be established in a member state if they have human and technical resources permanently available in that member state (e.g. a physical presence).

In the context of the above, equipment does not necessarily have to be owned by the business. Furthermore, when a website places cookies on a user’s device, that device technically becomes equipment used by the website owner to collect data. If the cookie is saved on a hard drive in a member state, the website host will be subject to EU laws.

In practice it is very difficult for the EU authorities to enforce data protection laws against businesses which do not have an EU presence, however, businesses should be aware that they will be subject to these laws whenever they process the data of an individual resident in an EU member state and the relevant EU IP registrars do have powers to issue fines or demand changes made to non-compliant websites.

Whilst the above requirements are not compulsory in countries outside the EU, many other jurisdictions recommend that website operators obtain consent or, as a minimum, provide users with details of cookies in their Privacy Policy.

How to ensure your business complies with its cookie obligations

The best way to ensure compliance is through a Cookie Policy and a roll-down notification statement that appears when users first access the website.

A Cookie Policy must be noted prior to full use of the website and should include the following information:

  • The type of information collected through cookies.
  • How long information will be held.
  • Whether any information will be shared with third parties.
  • Whether any information will be transferred out of the EEA.
  • The purpose of each type of cookie.
  • How to opt out of the use of cookies (including confirmation of how this may impact on the user experience of the website).

The ICO recommend that businesses undertake regular cookie audits to identify the cookies which are used by the website and the characteristic of each cookie.

Oury Clark can review your current policies and provide advice on updates and implementation in order to ensure that you are compliant with data protection laws in both the UK and the EU. We can also provide advice on the process needed to conduct a cookie audit.

If you require any further information or assistance about your obligations in connection with cookies or data protection more generally then please contact Ben Robson at ben.robson@ocsolicitors.com or on +44 (0)207 067 4300.

DP5

Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please seek legal advice if you have any questions about the information set out above.

  • Member of London Partners
  • Member of London of Chamber Commerce and Industry
  • Canada Chamber of Commerce
  • The Association for UK Interactive Entertainment
  • Offical Xero Partner

Copyright © 2013 - Oury Clark.