• Popular Searches
• About Us
• Contact Us
• Partners

• Home
• IMRG Membership
• IMRG Indexes
• IMRG Reports
• Events
• v-Forums
• White Papers
• Comment & Blogs
• IMRG Channels
• Member Offers
• e-Retail Industry Jobs
• Press Releases
• News
• IMRG TV
• IMRG Hitwise Hotshops Lists
• Monthly Review
• e-Commerce Awards for Excellence 2013
• Member Directory
• Solution Providers Directory

Complying with the New Rules on Cookies

Members - Free	Non-Members - £250+VAT It may be more cost-effective to join us

Executive Summary

In May 2011, new regulations were introduced governing the consent requirements of websites that download cookies or utilise similar technologies for storing information on a users machine e.g. Flash Cookies. The new regulation is enforced by the Information Commissioner and is the United Kingdom’s Government implementation of a European Directive.

The headlines from a website owner’s perspective are that although the regulation came in to force in May 2011, the Information Commissioner has indicated he would be unlikely to take formal action against those who were taking steps to comply with the rules during a 12 month lead in period ending in May 2012 in recognition of the complexity involved in reaching full compliance. However, if a complaint is received about a website they will investigate and expect website owners to have an active plan in place in order to reach compliance by May 2012. The Information Commissioner does have the remit to impose civil penalties of up to £500,000 for breaches of the regulations. The major risks for non compliance and the resulting enforcement action are two-fold, firstly the financial penalty and secondly, the damage to brand and reputation. This new regulation is in force now and your businesses should be actively working towards compliance and achieving this by the end of May 2012 at the latest.

Secondly, consent must involve some form of communication where the user knowingly indicates their acceptance.  A website cannot assume consent just because it is mentioned in the Terms and Conditions of Use or in the Privacy Policy; the user must take positive action to confirm, or deny, consent. All cookies are included in this regulation; both First party and Third party. However, there is an exception made for those cookies that are strictly necessary for the provision of a service requested by the user. This would include a cookie for storing the contents of a shopping basket but not, for example, those used for web analytics.

Thirdly, much has been said about the use of browsers as the consent mechanism. The view of the Information Commissioner’s Office (ICO) and the European Commission is that currently browsers are not sufficiently sophisticated enough to be relied on as a valid mechanism for obtaining consent. Also, the use of older browsers is so widespread it is unlikely that we will be able to rely on browsers as a consent mechanism for some time. 

Finally, reflecting ICO guidance, IMRG recommend that the following steps are taken in order to gain compliance;

1.    Run an audit to understand what cookies (or similar technologies) are being set by your website when a user visits your site.
2.    Assess these cookies and grade them by levels of intrusiveness, based on the privacy implications of the cookie being set.
3.    Decide on the most appropriate mechanism for gaining consent for these cookies to be used. Also, consider how your site will manage the experience of those subscribers who decline to give you permission to download cookies

The following briefing note will provide further background and detail for website owners looking to achieve compliance and includes some guidelines to inform your own project.