That’s the way the Cookie Crumbles

Cookie privacy directive

Are you following the cookie directive?

Many thanks to Howard Raper of Heblethwayte Solicitors for writing this informative article.

UK businesses now need to get website visitors’ consent to store and retrieve preferences information – does your site comply with the new EU’s Privacy and Electronic Communications Directive concerning cookies?

What’s a cookie?

A “cookie” is a text file placed by a website on the hard disks of users of the website (often without the user being aware of this) to increase and make the browsing experience more efficient.  This text file may also process personal data (to varying degrees) about the user and how he navigates the site and, depending on the type of cookie, other sites he visits.

The Problem

Cookies may be used for malevolent purposes as they store personal data about a users browsing preferences and, in circumstances where the user has no knowledge of it or its intrusiveness has not been explained in a clear and comprehensive manner, it may even be used as a form of spyware especially if the personal data is passed to a third party.

Consequently, the law was amended (please see below) to deal with any abuse of privacy or personal data that this type of misuse caused.

The Law

Up until 25 May 2011 the law relating to cookies was that a website operator had to:

  • inform users of their website how they used cookies; and
  • if they objected, inform users how they could “opt out”

These requirements were usually dealt with by putting information relating to cookies and how to opt out in the website owner’s privacy policy.  Now the law states that website operators will only be permitted to use cookies if the user concerned has: 

  • been provided with clear and comprehensive information about the cookie; and
  • given his consent to its use before the cookie is implanted in his hard drive.

Once the information has been provided and the consent obtained it is not necessary to do so again for the same user each time that cookie is sent to that user.


The Information Commissioner’s Office (ICO) has been tasked with policing the new rules. 

At present the ICO has stated that if it were to receive a complaint about a website and the operator had done nothing to implement the current changes or demonstrate how it has considered implementing such changes the penalty will be more severe than an operator who can demonstrate it is taking adequate measures to comply with the new law.

What Action do I need to take now?

To demonstrate compliance it is advisable to show that your organisation has a plan of action to implement the necessary changes and has, at least, considered the following:

  • preparing a table of the type of cookies used (and any similar technology);
  • ascertaining how intrusive each cookie is; and
  • deciding what level of consent is needed to tackle its intrusiveness.

Please note there are various levels of consent that can be utilised ranging from browser settings (not advised) to terms and conditions or pop-ups.  If you have any questions or queries concerning the above please contact Howard Raper of Heblethwayte Solicitors on 01482 441021 or via e-mail at

This entry was posted in Business, E-commerce, eLaw, Web site design & development. Bookmark the permalink.

Comments are closed.