Out-Law / Your Daily Need-To-Know

Out-Law News 4 min. read

Most UK web sites do not meet new cookie law


Most of the UK's top 90 web sites will need to make changes to comply with new regulations which came into force yesterday that require companies to give certain information about the use of cookies on their sites, according to WebAbacus.

Most of the UK's top 90 web sites will need to make changes to comply with new regulations which came into force yesterday that require companies to give certain information about the use of cookies on their sites, according to WebAbacus.

The web analytics firm studied the UK's most popular 90 web sites (according to Hitwise) to check the level of compliance with a provision of the Privacy and Electronic Communications (EC Directive) Regulations, which now affect most web sites in the UK.

Cookies are small text files sent from a web server to a web site visitor's computer and are stored on the hard drive, so that when the user visits the web site again or visits another page of the site, the site will remember him.

Without cookies, it is often said that the internet would have no memory. They are used by most commercial web sites and serve a valuable purpose. But it is also possible to use them irresponsibly, and fears of this prompted legislation from Brussels.

The UK's Regulations implement an EU Directive. They provide that a web operator must not store information or gain access to information stored in the terminal equipment of a user unless the user "is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information" and "is given the opportunity to refuse the storage of or access to that information."

The Information Commissioner has published guidance (see pages 4-7 of this 17-page PDF) that gives his interpretation of the time when the opportunity to refuse needs to be given.

Fortunately for operators of web sites, he writes: "at the very least, however, the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to engage in the continued storage of information".

"Where the relevant information is to be provided in a privacy policy, for example," he continues, "the policy should be clearly signposted at least on those pages where a user may enter a website."

So, while it may be best practice in complying with the literal meaning of the Regulations to offer an opportunity to refuse cookies before sending them to a user's computer, the Commissioner perhaps acknowledges that this is far from best practice in creating a user-friendly web site.

Therefore, it seems to be acceptable practice to use cookies without prior consent, provided the use of cookies is fully explained in a cookie policy or privacy policy which is accessible from every page of a site.

However, of the 90 sites tested by WebAbacus, it found that 88 did not comply with its own view of what is best practice.

This view is not just about choosing the point when the information about cookies is given (WebAbacus follows the Commissioner's view on acceptable practice - i.e. a privacy policy is an appropriate location); but also in the assistance given to users in deleting cookies.

Only the web sites of Currys and Dixons - both part of the same company - met its standards.

Web sites were reviewed and classified by WebAbacus as follows:

  • 24% had no privacy policy;
  • 12% had a privacy policy, but included no information about cookies;
  • 53% had a privacy policy, with information about cookies, which might include a reference to blocking cookies through a browser;
  • 8% had a privacy policy, with information about cookies and detailed instructions for blocking cookies through a browser;
  • 2% (Currys and Dixons) had a single click opt-out.

The Currys and Dixons privacy policies explain their use of cookies, then state: "If you do not want your visits to our website to be monitored in this way you can opt-out by clicking here."

A harmless cookie, only used to verify if a user's browser is accepting cookies, will already be on the user's computer by the time they've read the privacy policy. Clicking the link sends a second cookie, a so-called opt-out cookie, to the user's computer. But it contains no personal information, or even an identifier code.

Instead, the opt-out cookie provides a flag that tells the sites on future visits that no further cookies should be sent. The first verification cookie automatically deletes itself in 24 hours.

Ian Thomas, Marketing Director of WebAbacus, told OUT-LAW.COM that his firm sees opt-out cookies - as opposed to just a means of opting out - as best practice for complying with the new Regulations. He adds that this view has been endorsed by the Information Commissioner but acknowledges that there are other means of complying.

Masons, the law firm behind OUT-LAW.COM, has set up AboutCookies.org, a site to which web sites can direct their visitors for information on deleting and controlling cookies.

AboutCookies.org is updated as each new version of a major internet browser is released, to try to ensure that instructions to individuals on deleting and controlling cookies are as clear as possible. This avoids the need for businesses to keep up with changes when, for example, Microsoft releases the next version of Internet Explorer.

If your business uses cookies in its site, the following wording may be suitable for inclusion in your privacy policy:

We may also store information about you using cookies (files which are sent by us to your computer or other access device) which we can access when you visit our site in future. If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. Our cookies will have the file names [X.txt,Y.txt and Z.txt].

If you want to stop cookies being stored on your computer in future, please refer to your browser manufacturer’s instructions by clicking "Help" in your browser menu. Further information on deleting or controlling cookies is available at www.AboutCookies.org. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.

When you visit our site, we may also log your IP address, a unique identifier for your computer or other access device.

For advice on amending your privacy policy or your data protection notice, feel free to contact [email protected].

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.