Home » Our News » Change to UK Cookie Law

Change to UK Cookie Law
25 May 2011

EU and UK Law on the Use of Cookies 

UPDATE 25 May 2011: The Information Commissioners Office have issued a new statement that effectively gives UK organisations a further 12 month to comply with the new regulations. This does not mean we can wait the 12 months out but that they have 12 months to find a more workable solutions and we can take time to consider how we meet the requirements.

This affects all EU based websites and organisations and so it is worth spending a few moments understanding what has changed and how it affects you.

In essence the law says we now need to ask the visitor’s “prior consent” before placing a cookie on their machine. The exception to this rule is where the cookie is “strictly necessary” for the service requested.

What is a cookie

Cookies are small data files that are placed on a website visitors’ machine to help deliver the sites functionality such as allowing access to member areas, operation of shopping baskets and to aid in site analytics.

If that has whet your appetite for more detail, please take a trip to Wikipedia - http://en.wikipedia.org/wiki/HTTP_cookie

Prior consent

You’ve guessed it - “prior consent” is ill-defined. The EU regulation states that this includes where a visitor “amends or sets controls on their browser”. In the UK the Information Commissioner had delayed guidance while they looked into making the browser provide more control over cookies. Unfortunately the Information Commissioner has then commented that in the UK interpretation, setting browser controls alone is not sufficient.

The resulting confusion will settle in the coming months.

Strictly necessary

The exception to this “prior request” rule is where the cookie is “strictly necessary” to deliver the required functionality. Generally on a Free Rein CMS system we use cookies that are required to deliver the functionality, session cookies to deliver the pages, authentication for accessing member only areas and data cookies for a shopping cart.

There are only two exceptions to this on our systems. The first is the Google Analytics data in the session cookie which allows collection of anonymous data about use of the site. The second is an element in the session cookie we use for authorising access to the administration site - which technically could be classed as necessary for the audit trail and version control.

What do you need to do

We will keep an eye on the developing interpretation of the legislation in the UK and let you know whenever we learn of anything that changes our views. Please contact your own solicitor where you have sub-sites specifically provided for non-UK visitors, though the sites are served from UK based data centres. Local legislation in other EU countries may vary.

In the meantime here is the additional information we have added to our site to explain the use of cookies and pointing out the option the visitor has to block them. You can download the ICO guidance note here