From 26 May all businesses with a website are required to obtain consent from users or subscribers in order to use cookies. This is to comply with the Privacy and Electronic Communications Regulations.
A cookie is a string of data (usually letters and numbers) which, by being stored on a particular device accessing a website, functions as a unique identifier for it.
The Regulations set out the requirements for notice and consent for cookies and other similar technologies. However consent is not a straightforward concept: the Information Commissioners Office (ICO) is not prepared to endorse any specific solution; instead, it advises organisations to adapt their approach depending on the type of cookie being used and the relationship with the users. Browser settings could offer a way of indicating consent to the use of cookies. However, the general view is that most current browser settings are not sophisticated enough for websites to infer that consent has been given to allow a cookie to be set.
In order to comply with the new regime there are some practical steps which businesses can take including: conducting a "cookie audit"; assessing the privacy intrusiveness of the cookies used; and deciding what level of information to provide to users so that they can understand clearly the potential consequences of agreeing to allow the cookies to operate on their devices. Businesses should also review their website terms and conditions and privacy policies.
The ICO may exercise a range of powers at its disposal in relation to breaches of the Regulations, including Enforcement Notices, Information Notices and fines of up to £500,000.
