Cookies: are you compliant?

Meet the team:

  • Tel: +44 (0) 161 829 2599
berg logo
Share this post: linkedin Twitter facebookshare Email
Posted in:Corporate and Commercial|May 21, 2012 | Join the mailing list

A cookie is a small text file implanted by an online provider on the hard-drive of visitors to the site, often without their knowledge.  Cookies collect information about internet users, such as their names, addresses, e-mail
details, passwords and user preferences.  While cookies and the information they transmit may not on their own identify an individual, they may be able to do so in combination with other information held by the online provider or a third party.

Where the data contained in cookies can be linked to a name, a postal address or even an e-mail address, that information will amount to personal data and be subject to the Data Protection Act 1998. 

In November 2009, the Citizen’s Rights Directive changed the requirements that online providers must meet when using cookies from the opt-out regime that was previously in force, to a requirement for "informed consent". 

The use of cookies is only allowed if the user concerned:

•    has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and

•    has given his or her consent. 

The Information Commissioner’s Office acknowledges that the introduction of the new legal framework on cookies presents businesses that use cookies with considerable technical, legal and organisational challenges.  In particular, many online service providers,
retailers and advertising networks have come to rely on cookies for carrying out essential as well as non-essential website functions.  It is expected that the transition to data protection-compliant systems will require a transition period of several months,
during which the technical and compliance teams of online providers, in conjunction with browser operators, will develop technical as well as administrative solutions.

To facilitate this process the ICO confirmed that it will allow a lead-in period of 12 months for organisations to develop ways of meeting the cookie-related requirements of the revised Regulations.  This lead-in period will end on 26 May 2012 when the ICO
will move towards the approach set out in its general Data Protection Regulatory Action Policy and when it will consider using its enforcement powers to compel them to develop such ways in appropriate cases.

The ICO’s guidance recommends a number of practical steps providers should take to achieve compliance.  This includes carrying out a "cookie audit" and suggestions for practical ways in which providers can comply with their obligations to provide users with
the necessary information and to obtain their consent.  The Information Commissioner has made it clear in his half-term report that he expects providers to be able to demonstrate the steps they are taking and the timescale within which they expect to achieve

If you do not know whether your website is compliant, or have any queries regarding your legal obligations, please contact Stephen Foster, Partner and Head of the Corporate and Commercial Department by telephoning 0161 833 9211
or by e-mail at

The information and opinions contained in this article are not intended to be comprehensive or to provide legal advice.  No responsibility for this article’s accuracy or correctness is assumed by Berg or any of its partners or
employees.  Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of the contents of this article.

Join our mailing list

More from berg



"berg achieved exactly the right balance, protecting revenue streams and safeguarding against risk while maintaining our commercial and competitive approach"

Generis Technology Limited