Tag Archives: cookie law

Regulations Governing The Use of Cookies

New regulations governing the use of cookies came into force in the UK on 26th May 2012

By law, operators of a website in the UK must now gain users’ consent to place cookies on their machine or face a fine of up to £500,000.

How does this affect me?
According to the About Cookies website:

The UK Regulations carry a maximum fine of £500,000 for serious breaches. It is anticipated that this power will only be used in limited circumstances. Before this the fine was £5,000 and companies may have been willing to run the risk but with these increased powers the result of enforcement action is potentially more severe.

Source: http://www.aboutcookies.org/default.aspx?page=3

What are cookies?
A cookie is a small text file that a website places on a user’s machine. Typically, cookies are used to store information about a user’s session, such as the contents of a shopping cart, or to retain information across sessions, such as user preferences.

Cookies can be created by the site itself and by third parties. One primary example of a third-party cookie would be Google Analytics which might create cookies to help it track users’ activity.

Sites which use advertising networks such as Google Ads would also set third party cookies on users’ machines.

How are cookies used in a WordPress site?
In its core functionality, WordPress uses cookies for logged-in users and for commenters. However, non-core plug-ins may also set their own cookies.

Interpretations of the regulations
The UK Information Commissioner has issued a set of guidelines for website owners on how to interpret the regulations.

They summarise the steps you might need to take to ensure you comply as follows:

Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
Source: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

Implied consent
At the very least, it seems that you should provide some information on your site with regard to the use of cookies though the ICO has indicated that simply having a page about cookies that may be hard to find is not be sufficient to comply with the regulations. Interestingly, at the time of writing, this is the approach taken by the BBC who have provided detailed information on their usage of cookies (http://www.bbc.co.uk/privacy/cookies/) but no further notification to the user.

Solutions
There are already a number of solutions available. It may be that you wish to force users to accept cookies on the site. The main drawback of this is that you risk deterring users from your site. Our reading of the regulations suggests that unless you are collecting sensitive personal information, then implied consent is sufficient to comply.

Our approach
It is vital to maintain a balance between the legal requirements and the requirements of your business. Obtrusive notices in the form of pop-ups are more likely to deter visitors from your site than inform them of their options with regard to cookies. Likewise the use of opt-in forms where the user must actively agree for cookies to be used.

We believe that if a user does not wish to accept cookies on your site, it’s likely that they don’t wish to accept cookies on other sites. For this reason, the most practical solution for the user is to disable cookies in their browser rather than on every site they visit. It’s also likely that yours will not be the first site they visit since the directive was introduced – so they will already have made a decision as to whether they wish to accept cookies in general.

The guidance recommends a “clear and unavoidable notice that cookies will be used”. We suggest prominent links on your site to notify cookies are being used on your site with a link to read further information about what cookies are used on your website, why they are used and how to disable them. This information will also provide a notice of implied consent that if the user continues to browse the site they are happy with the cookies set. If they are not happy they can choose to make the changes as described or dismiss browsing your site altogether.

All Websorceress website maintenance subscribers websites and sites built by Websorceress after the law was introduced have been updated with a relevant ‘informed consent’ cookie policy which we feel covers the requirements of the law. However, we are not lawyers and if you are in any doubt about how best to comply, we recommend you consult a legal expert.