Date of publication: November 2016
Cookies are small files which track user access of websites in order to collect information about individuals and their online behaviour. They are implanted on the user’s hard drive, often without the user’s knowledge, in order to collect information about each visit to the website. Certain information such as setting preferences and login details is then retained for subsequent visits.
Cookies are most frequently used to:
Cookies can be used to collect a variety of information and will have differing lifespans. Some cookies will be automatically deleted as soon as a session ends, whereas others will remain on the users device for subsequent visits to the website. The lifespan will generally reflect the type of information being collected and the intended use of the particular cookie.
In the European Union (“EU”), data protection laws apply whenever a business collects ‘personal data’ from individuals that are based within the EU.
Personal data means any information which relates to a living individual who can be identified from that data, whether on its own or in conjunction with other obtainable information. This includes basic details such as names, addresses, photos and IP addresses. (For more information about data protection please see our related Wuick Guides and booklet on this subject).
If cookies are only being used in a way that does not collect personal data (e.g. where they are solely for navigation purposes), then data protection laws should not apply. Where cookies are used which do collect personal data(e.g. to remember login data) then the website host must meet certain requirements, as set out below:
Consent: Under UK law, a business must obtain the consent of an individual before collecting and processing their personal data. Therefore, if a website collects personal information through its cookies, the website owner/host will need to obtain consent prior to processing. This consent can be implied or explicit as follows:
Explicit Consent involves the user knowingly indicating their consent(e.g. checking a box).
In practice, explicit consent is the safest means of ensuring compliance with the EU data protection requirements. Whether this is needed will depend upon the nature of the business and any regulatory concerns surrounding this.
Providing Information: Website owners/hosts are required to provide clear and comprehensive information about the cookies used on a website. This should include information about any third parties which host cookies on their websites; any transfers to third parties; and the owner/host’s use of the data collected by the website.
Each of the EU member states has its own data protection laws, however these are all governed by the same set of overarching principles. The laws of a particular member state will apply in the following circumstances:
A business is considered to be established in a member state if they have human and technical resources permanently available in that member state (e.g. a physical presence).
In the context of the above, equipment does not necessarily have to be owned by the business. Furthermore, when a website places cookies on a user’s device, that device technically becomes equipment used by the website owner to collect data. If the cookie is saved on a hard drive in a member state, the website host will be subject to EU laws.
In practice it is very difficult for the EU authorities to enforce data protection laws against businesses which do not have an EU presence, however, businesses should be aware that they will be subject to these laws whenever they process the data of an individual resident in an EU member state and the relevant EU IP registrars do have powers to issue fines or demand changes made to non-compliant websites.
The ICO recommend that businesses undertake regular cookie audits to identify the cookies which are used by the website and the characteristic of each cookie.
Oury Clark can review your current policies and provide advice on updates and implementation in order to ensure that you are compliant with data protection laws in both the UK and the EU. We can also provide advice on the process needed to conduct a cookie audit.
If you require any further information or assistance about your obligations in connection with cookies or data protection more generally then please contact Ben Robson at firstname.lastname@example.org or on +44 (0)207 067 4300.
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please seek legal advice if you have any questions about the information set out above.
Copyright © 2013 - Oury Clark.