The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 require consent to be obtained for the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment, such as their computer or mobile phone. The Regulations came into force on 25 May 2011. However, the Information Commissioner’s Office (ICO) announced that organisations would be allowed a year-long period to work towards compliance with the changes. That grace period has now expired.

Previously, privacy rules only required websites to tell users about cookies they used and provide information on how to ‘opt out’. Most organisations did this by putting information in their privacy policy. The new rules require that in most cases websites wanting to use cookies must gain consent, which must involve some form of communication whereby the individual knowingly indicates their acceptance. The ICO made last-minute changes to its guidance on how to comply with the new cookie law in order to clarify the following points with regard to implied consent:

• Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies;
• If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent;
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand; and
• In some circumstances, for example where you are collecting sensitive personal data such as information about an identifiable individual’s health, data protection law might require you to obtain explicit consent.

The regulations have been comprehensively updated by the General Data Protection Regulation (GDPR), which takes full effect on 25 May 2018. In effect, the GDPR will mean that any cookie which allows a user’s device to be identified will be treated as being ‘personal data’ and this subject to regulation by the GDPR and specific consent will need to be given

A ‘session cookie’ exists only to make website functions work for the duration of a browser’s session. These are anonymous and are not therefore wihin the scope of the GDPR.

Source: Commercial Client library Content