Tech Law  »  The law on Cookies

The law on Cookies
print Auxilia download as PDF add to favourites

“Cookie”

n. a small, flat baked treat, usually containing fat, flour, eggs and sugar.


“Cookie”

n. a message, or segment of data, containing information about a user, sent by a server to a web-browser and sent back to the server each time the browser requests a web page.


Introduction


For the purpose of this Auxilia we are going to presume that you know all you need to know about the sugary treat, and will concentrate on the second of these two definitions. What is not so well-known is that the HTTP cookie that we all know (through perhaps do not admit to love) is in fact named after a derivative of the eponymous ‘treat’, the “magic cookie”, or more usually the “fortune cookie”. ‘Why’ you might ask: the reason is because of the fact that this innocuous-looking file could contain incredibly useful and valuable date for website owners, and all without the web user even knowing about it (thus ‘magic’).


It has long been thought the cookies were the scourge of web users and their 'heroic defenders of privacy' - the browsers. It may surprise you then to learn that the cookie was initially developed by a computer programmer called Lou Montulli back in 1994 at a time when he was working to develop an e-commerce system whilst working at Netscape communications, and was integral to getting the Netscape navigator browser to recognise the cookie format. The rest is, as they say, history, but the outcome is that today, cookies are needed in practically every website in the world, and without them some websites would not even function.


What is wrong with cookies?


This all depends on what you use them for. Cookies have a number of different functions, including:



  • Tracking users’ use of website

  • Stats collection (i.e. unique visits etc)

  • Online shopping carts (remembering purchasers)

  • Remembering log-ons (so interactive systems such as forums or even the BBC website knows that you have logged on, and remember you site settings

  • Remembering what you like on the 'web 


So, it is clear that cookies are very useful indeed for site owners, but why would users have an issue with them, particularly when turning them off affects the way that sites work? The truth is that most would not really mind, but our elective representatives (and more accurately our European representatives) have different views here.


Privacy is an issue that matters greatly to the powers in Europe, and to also by our national organisations such as the Information Commissioner. However, the truth is that when pushed on the matter, and given all the facts about how cookies work and why site owners use them, many web users also take great issue with them.


What should site owners do?


There are a few things that you must consider when you are providing a service that relies on cookie or other tracking technology;



  1. It may sound rather obvious, but are you actually using cookies or another tracking technology?

  2. Do you need to use this sort of technology to provide your service online?

  3. If you need them and you are using them, have you told your users?


Of these, the last consideration is by far some way the most important. This is because regardless of the disdain in which cookies are held my many, they are actually perfectly acceptable and permitted as long as you have told the people you are using them. The following sections show how they can be in a number of different circumstances:


Use of Cookies/Tracking on Websites


Step 1

Ensure that you have set out very clearly in your Terms and Conditions the following information:



  • What sort of tracing you use

  • Why are you using them

  • What you do with any data collected

  • Whether you allow anyone else to use that data

  • Whether data is stored in the UK/ Europe or if it goes outside of the EU


Step 2

You must tell your user again in the Terms and Conditions section and the Privacy Policy, who they can contact within your firm/organisation to find out what data has been collected using cookies, and how they can get details of that data/have it deleted.


Step 3

Make links to your Terms and Conditions and Privacy Policy clear from your home page.


Of these steps, the final one is where many firms/organisations/website owners slip up. Setting a link from the footer of each page, normally near the copyright statement, has become de facto standard location.


Use of Cookies/Tracking on Mobile Devices


Step 1

Where user signs up using mobile-enabled devices, you must provide details of where Terms and Conditions / Privacy Policy can be read in full.


Step 1

(Alternative) - You must provide a Click-wrap Service Level Agreement / Terms and Conditions on initial use of the service / app which the user must agree to before use by virtue of an ‘I agree’ button.


IMPORTANT - Upcoming Changes


The Law on cookies is changing as of 25th May 2011, at which point the new e-Privacy Directive will come into force. The purpose of this legislation was to provide some form of guidance in relation to ‘targeted advertising online’, which are fed specifically to you because of previous things u have looked at or visited online. For example, if you were to search for a particular brand of perfume on eBay, clever (or perhaps “magic”?) cookies will remember this and will subsequently present deals or information about similar products or services when you visit other websites using the same cookie type. For example, when you next visit the John Lewis website, if they were using the same cookie tracking system as eBay, they would present their current deals for the same perfume brand, or other brands that they feel may be of interest to you.


Understandable, the privacy watchdogs are concerned about this, so the new e-Privacy Directives requires all websites to get the express consent of users prior to the cookies getting downloaded to your computer / device. Express consent means that users must actively say that they are happy for the cookies to be downloaded to their device, rather than implied consent, which means that simply by having a setting on their web-browser ticked which allows cookies to be downloaded to their device they are in some way agreeing to it. Unfortunately, no one really knows how in practice this will work, and so we just do not know whether we will need message or ‘tick boxes’ on all website home pages that use cookies (and in particular behavioural or advertising cookies) or whether browsers will present some form or built-in warning when such cookies are used on a site. What we do know is that the government are currently working on a consolation and set of guidance on what website owners should do with regard to express consent for use of cookies. Unfortunately, this guidance will not be available by the 25th May 2011, and so most website owners will be technically in breach of the new e-Privacy Directive at this time. However, it is highly unlikely action will be brought against any website owner that has at the very least made some effort to bring to users attention that cookies are being used and are being open about this.


If you have any questions about the use of cookies on your website, or a general chat to see whether your site is compliant, I will be happy to answer any emails.

last update: 22 August, 2011


author:   

Neil Pfister

Solicitor, Company & Commercial, Fisher Meredith


w. www.fishermeredith.co.uk | e. neil.pfister@fishermeredith.co.uk | t. 020 8334 7938