The Way the Cookie Crumbles: The ICO Issues Guidelines on "Cookie" Regulations

Do you own a website?  If so, you should be aware of changes to the law on "cookies".

The changes to the existing Privacy and Electronic Communications Regulations (the Regulations) are set to have a significant impact on the way in which cookies (small text files that remember what a user has visited on the internet) are used by website operators.

What changes have been made?

Previously, the Regulations provided for an ‘opt-out’ approach whereby cookies could only be stored on a user’s device if the user was provided with clear and comprehensive information about the purpose of the cookies and had been given the opportunity to refuse the use of cookies.

Up until now, websites have simply needed to include the relevant information in their online privacy policies.

However, the new rules introduced an "opt-in" approach to obtaining user consent.  Now, internet users have to be fully informed as to the purpose of the cookies and the extent of the information which is going to be stored before providing their express consent. 

At present, internet browser settings are not considered sophisticated enough to be used as a way of indicating a user's consent to having their browsing activity tracked.  Rather than relying on browser-based solutions, web providers will have to adopt alternative methods to comply with the new requirements.  Some alternative methods suggested by the Information Commissioner's Office (ICO) include the use of pop-ups, the website’s terms and conditions, or by introducing information into the footer or header of the web page which is activated as a scrolling item of text when the website operator wants to place a cookie onto the user’s device.

Are there any exceptions to the rule?

The only exception to the requirement for "opt-in" consent is where the storage of information is “strictly necessary” for the provision of a service requested by the user.  The ICO has stressed that this exception will be strictly interpreted in practice and limited to a narrow range of activities such as where information is stored in a customer’s online shopping basket in order to complete a transaction.

When must consent be obtained?

The ICO has advised that consent need only be obtained before a cookie is set for the first time (and not each time a user visits a website). However, further information and consent will be required if the cookie is used in the future for a different purpose.


With only a few weeks left until the amended Regulations come into force, the ICO advice on their application has been criticised as too little too late.  In light of the amount of scope left to organisations to decide what works best for them, it will be difficult to know which methods of obtaining informed user consent will guarantee compliance until enforcement action is taken.

However, until further guidance is issued, it is crucial that web providers begin to consider how they aim to comply.  At the very least, this will involve some serious, practical thinking as to how providers can effectively communicate with their website users regarding their level of cookie usage and the data stored by cookies and similar technology.

For guidance on how to comply with the rules click here.

For a link to the full article click here.

Please click here for a copy of the ICO's full guidance on how to prepare for the new rules on cookies.