David Cavaliero, partner in the Technology and Media team at Withy King Solicitors in Oxford, examines new legislation surrounding the use of ‘cookies’

You might be breathing a sigh of relief following the announcement from the Information Commissioner's Office (ICO) which gives website owners until May 2012 to comply with the new EU ‘cookie law’.

The new law requires all websites to ask visitors for permission to use cookies — except, for example, if cookies are considered “strictly necessary”.

So what is a cookie?

A cookie is a small file that can be downloaded onto whatever electronic device you are using to access certain websites.

A cookie allows the website to recognise your device and may pass on information concerning your activities and preferences.

All websites that use Google Analytics for tracking visitors will use cookies.

The law has been passed as a response to growing Internet privacy worries.

Websites are currently able to save information from people’s searches, collect data on their preferences and potentially pass details on to third parties without their express consent.

But cookies can have a positive effect on the browsing experience.

They make surfing the Internet quicker and much more convenient.

Cookies permit users to stay logged on to websites and enable personal recommendations by saving preferences.

Online sales are less time consuming as it is not necessary for users to enter their information each time from scratch.

Collecting customer data through cookies is also incredibly useful for businesses.

Not only does it enable targeted marketing activity, but it allows website owners to see which areas of their sites are proving popular and which aren’t.

Using this information to modify the business can result in a more user-friendly, customer relevant organisation.

Communications minister and Wantage MP Ed Vaizey summed up the consternation felt by some website owners when he commented that while a number of web users have real concerns around online privacy, cookies do play a key role in the smooth running of the Internet.

May 2012 might seem far away, but by using the time wisely, you can make sure you are not in danger of getting your fingers burnt with legal fines and penalties.

What to do . . .

n Choose which cookies are strictly necessary — the regulations do not need user consent where the cookie is ‘strictly necessary’ to allow the website to provide a service. For example, adding to online shopping baskets.

n Decide how to go about obtaining consent from visitors for intrusive cookies — ICO has not given any guidance on how to do this, as they feel each website owner is best placed to work out what their visitors will understand.

What are the options for acquiring consent for cookies?

n Installing pop-ups n Express terms and conditions n Settings-led consent — i.e. the user will give consent to cookie settings for the whole site n Feature-led consent — i.e. the user will give consent to use cookies for individual features within a site The ICO has confirmed that amending browser settings to allow cookies is not an option at the moment. This is because most browser settings are not currently sophisticated enough for this to work to any real degree.

It also does not take into account web visitors using mobile applications rather than browsers to view websites.

Speaking of how the ICO are responding to the law, Information Commissioner Christopher Graham said: “I am conscious that my own website will be looked at for a model of how to comply. We have decided to place a header bar on our website giving users information about the cookies we use and choices about how to manage them.”

Which questions should website owners be asking?

n How do I get consent from visitors without getting in their way?

n How long will visitors put up with permission requests every time they go to a new website?

n Is this the year when the dreaded "pop-ups" make a come back?

n How much data will Google Analytics be able to report back once people start rejecting cookies?

n Will advertising on sites become problematic — and whose responsibility will it be to acquire consent?

What are the penalties?

The penalties for companies failing to comply by May 2012 include a fixed fine of £1,000. Companies in serious contravention of the rules may be subject to a £500,000 fine.

This may be if the contravention was deliberate, if the website owner should have been aware and failed to take steps or if substantial damage or distress has been caused.

The current compliance steps have not been made available for the new law, so it’s difficult to advise at this stage on the best way of dealing with them.

But now is a good time to review your website consent forms and agreements to ensure they are compliant and as ready as you can be for the changes that lie ahead. ib n Contact: David Cavaliero, Withy King, 01865 792300 Web: www.withyking.co.uk