The way the cookies crumble

Laura Monro
Laura Monro

This article was originally written for and featured in Childrenswear Buyer Online.

An informal review of the websites of various businesses referred to in the August edition of Childrenswear Buyer found that only half of these businesses have policies relating to the use of cookies on their websites! Even less so have registered with the Information Commissioner’s Office (“ICO”) as a data controller of personal information.

Why do these issues matter?

The use of cookies is regulated in the UK by certain privacy and electronic communication regulations (the Regulations) designed to protect the privacy of internet users. The ICO is responsible for enforcing compliance with the Regulations and has the power to take action where necessary. This includes:

  1. committing a business to a particular course of action in order to improve its compliance with the Regulations;
  2. compelling a business to take action to bring about compliance with the Regulations; and
  3. although unlikely, fining a business up to £500,000.

But the non-legal consequences of not complying with the Regulations should be of equal concern to businesses.

So what are cookies? Cookies are small files downloaded onto a device such as a computer, tablet or mobile phone when the user accesses certain websites. Cookies collect information about the user’s internet activity including, their user preferences. The Regulations apply to all information collected by cookies, including personal data. However, where cookies collect personal data such as the user’s name, postal address or email address, businesses need to ensure that they comply with the additional requirements of the UK Data Protection Act. In addition, any business collecting personal data through its website should have an online privacy policy setting out the business’ practice in relation to the collection, storage and use of that personal data.

The Regulations require that users are told about the cookies placed on a website and given the choice as to which of their online activities are monitored in this way. A cookie may only be used if users have given their consent having been provided with clear and comprehensive information about the purpose of that cookie. Consent must involve some form of communication where the user knowingly indicates their acceptance – obtaining consent that relies on a user’s ignorance about what they are agreeing is unlikely to comply with the Regulations.

Between April and June 2014, the ICO received 38 concerns reported about cookies. The ICO has stated that it is taking a practical and proportionate approach in enforcing the Regulations where organisations are making the effort to comply. However, its current focus is on ensuring compliance with the Regulations by websites that are doing nothing to raise awareness of cookies, or to obtain the user’s consent to the use of various cookies. The ICO will look unfavourably on a business with a casual approach to data protection and the privacy of its customers, particularly at a time of heightened interest following, for example, the trial of Rebekah Brooks and Andy Coulson.

What do you need to do to comply? As a first step, if you have an online presence you should undertake a “cookie audit” to assess the cookies used on your website, and the purposes of each cookie. Once identified, you will be able.