Posted: Wednesday, 18 January 2012 @ 10:00
The new regulations relating to cookies which came into force last year basically requires website owners not only to provide information about cookies they use and a mechanism to opt out, but to obtain consent from users of the site before a cookie is used. The only circumstances where this does not apply are very limited.
The only exception to the requirement to provide information and obtain consent is where the use of the cookie is:
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary for the provision of an information service requested by the subscriber or user.
Website owners are most likely to look at the second part of the above exception in the hope of avoiding the need to obtain consent from users of their site, but if they do so they must be satisfied that it applies as the ICO have made it clear that their view is that the exemption is to be interpreted narrowly.
The application of the second part of the exemption hinges around what is meant by “strictly necessary”. The ICO considers that “strictly necessary” means that the cookie or similar technology must be essential to provide the service requested by the user. It is not sufficient for it to be reasonably necessary to provide the service requested by the user or essential to some other use the website owner wishes to put the information.
The types of cookie likely to fall within the “strictly necessary” exemption are those used by online shopping sites to ensure that when a user selects an item or proceeds to checkout, the site registers the chosen item, so no consent for such cookies are needed. Two more examples are given in the ICO guidance of cookies likely to be “strictly necessary”:
- cookies essential to comply with data protection security requirements for an activity requested by the user, such as when using online banking
- cookies essential to ensure that page content loads quickly and effectively by distributing the workload across several computers
The second example above must be carefully considered as against other uses of cookies, such as cookies to recognise a user returning to the site to give them a personalised greeting , cookies to analyse the number of unique visits to a site and so on which would not fall within the exemption, so would need consent.
There are links below to other blogs on this topic and if you would like any help please contact me.
Commercial Solicitor, Birmingham
Tel: 0845 003 5639
Previous blogs on this topic which you may wish to look at are:
Website owners are warned by Information Commissioner about lack of progress in compliance
New guidance from the ICO about the cookies regulations
Blog by Sue Mann
Sue is an experienced commercial solicitor based in Birmingham from where she helps businesses all over the country advising on, drafting, and reviewing business contracts and commercial agreements. View profile
This blog is not intended to constitute legal advice, nor is it intended to be a complete and authoritative statement of the law, and what we say might be out of date by the time you read it. You should always seek legal advice to confirm whether or how any information in this article applies to your particular situation. We offer a free telephone consultation
to discuss your particular circumstances.