How must online retailers comply with the change in rules concerning serving website cookies on UK visitors’ computers?

The new ‘cookie consent’ requirement was introduced through legislative amendments in May 2011. The Information Commissioner’s Office said at the time it would allow businesses a 12-month grace period to comply. That comes to an end on May 25.

Retailers must now give visitors clear and comprehensive information about their website’s use of cookies and obtain visitors’ consent when setting cookies, which track website users anonymously as they browse online. It is not enough just to make short cookie disclosures in a website privacy policy. Visitors must understand that cookies are set and how they can control their use.

Phil Lee, a partner in the Privacy and Information Law Group at Field Fisher Waterhouse, says there are four steps to compliance. Firstly, a retailer must audit its website to identify what cookies it serves. Secondly, it must assess the intrusiveness of the cookies served by the website. This will inform how prominent the cookie consent notices must be. Thirdly, it must decide on a consent strategy for the website. Where cookie use is not particularly intrusive, for instance, a retailer might imply consent by making contextual cookie notices that inform visitors how to turn cookies off. And finally, a retailer must implement its consent strategy. This will require technical and operational changes to the website, and outsourced solutions providers can help to do this.