It previously appeared on the AboutCookies.org site, which like Out-Law.com was run by Pinsent Masons.
This is part of Out-Law's guide to cookies. EU law requires website operators to obtain consent to the use of cookies, other than those that are strictly necessary cookies, and provide users with information about how to manage and delete cookies.
We provide that here and many organisations link to our guidance rather than increase already-lengthy privacy policies. You can too, there is no charge for this and you don't need our specific permission. We used to provide this at AboutCookies.org, but now provide it here instead.
The EU's E-Privacy Directive of 2002 required that website visitors be given certain information about cookies. From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies.
In the UK the laws that give effect to the EU legislation are the Privacy and Electronic Communications (EC Directive) 2003 as amended by the Regulation of 2011 (PECR).
When EU cookies law changes were implemented in 2011 there was some confusion about how websites should seek and get cookie consent. Most sites used a notice for first-time visitors which sought to obtain consent and assumed consent if someone continued to use the site without expressing a preference.
From 25 May 2018 the General Data Protection Regulation (2018 Act) came into force. It says that consent for data processing has to be given by users through a "clear affirmative action" and it must be freely given, specific, informed and unambiguous. It is harder to satisfy these consent requirements and means that the user should be given a real choice about which cookies, other than strictly necessary cookies, are used when they browse the website.
In addition to fulfilling the consent requirements information should be provided to the user in a privacy policy, a data protection notice, or both. The privacy policy or notice if used properly can meet the information provision requirements of both PECR and the 2018 Act. For further information on implementing a privacy policy or data protection notice online see Out-Law's guide to data protection.
Obtaining users' consent to the placing of a cookie is technically more difficult. The ICO guidance suggests a number of different ways to obtain consent. This guidance has yet to be updated by the ICO so the suggestions below are a starting point, as any mechanism used will also need to satisfy the requirements of consent under the 2018 Act:
All of the above mechanisms are used to varying degrees of success across websites. Whichever method you choose, cookies should not drop until the user takes some form of positive action on the website.
To try to satisfy the new consent requirements under the 2018 Act, a number of companies have developed cookie tools and privacy management software which allow an individual to set their cookies preferences by enabling them, for example, to reject the use of analytical, marketing or advertising cookies. Such tools are also a mechanism through which the website owner can seek to obtain and record the individuals' consent so that they can evidence such consent at a later date. These tools also allow an individual to change their preferences. This is important as an individual has the right to withdraw their consent as easily as they have given it. As such tools and software are relatively new to the market they have not as yet been given any regulatory or supervisory authority approval.
As an alternative businesses may wish to consider using a non-cookie site. A simple brochure-style site with no way to login and no e-commerce functionality may not use cookies, meaning that the new law will not affect the site.
Very few sites do this as it could place them at a competitive disadvantage to competitors and sites outside the EU. A non-cookie site may lose revenues from advertising meaning that it is not cost effective to run such a site, and the site would not be able to measure traffic or learn about its users via tools such as Google Analytics, which is cookie-dependent.
Website owners/businesses should consider what would work for them by looking at their business and how they use their website.