Cookies and Data Processing1. Cookies and Data Processing Correct at time of publication: November 2016
DP5 Disclaimer: This note does not contain a full statement of the law and it does not constitute legal
advice. Please seek legal advice if you have any questions about the information set out above.
© Oury Clark 2016
Contact@
ouryclark.com
Or see our website
for more details
act@
ouryclark.com
Businesses use cookies on their websites for various purposes. This
Guide sets out some of the legal issues surrounding usage of cookies
and the legal requirements for websites that are accessible in the UK.
What are cookies?
Cookies are small files which track user access of websites in order
to collect information about individuals and their online behaviour.
They are implanted on the user’s hard drive, often without the user’s
knowledge, in order to collect information about each visit to the
website. Certain information such as setting preferences and login
details is then retained for subsequent visits.
Cookies are most frequently used to:
optimise the efficiency of a website;
collect details about visitors to a website;
track movements around a website; and
analyse visitor trends
Cookies can be used to collect a variety of information and will have
differing lifespans. Some cookies will be automatically deleted as
soon as a session ends, whereas others will remain on the users
device for subsequent visits to the website. The lifespan will generally
reflect the type of information being collected and the intended use of
the particular cookie.
What are the EU/UK requirements on cookies?
In the European Union (“EU”), data protection laws apply whenever a
business collects ‘personal data’ from individuals that are based within
the EU.
Personal data means any information which relates to a living
individual who can be identified from that data, whether on its own or
in conjunction with other obtainable information. This includes basic
details such as names, addresses, photos and IP addresses. (For
more information about data protection please see our related Wuick
Guides and booklet on this subject).
If cookies are only being used in a way that does not collect personal
data (e.g. where they are solely for navigation purposes), then data
protection laws should not apply. Where cookies are used which do
collect personal data (e.g. to remember login data) then the website
host must meet certain requirements, as set out below:
Consent: Under UK law, a business must obtain the consent of an
individual before collecting and processing their personal data.
Therefore, if a website collects personal information through its
cookies, the website owner/host will need to obtain consent prior to
processing. This consent can be implied or explicit as follows:
Implied Consent can only be relied upon where the website
owner/host is able to show that the user has taken a specific action to
consent to the use of cookies. The UK’s Information Commissioner’s
Office (“ICO”) states that implied consent can be demonstrated by a
user moving to the next page of a website where the front page of the
website clearly and predominantly states that cookies are used.
In order to rely on implied consent, information about cookies must be
clearly displayed, usually via a roll-down notice with a link to a more
detailed Privacy Policy and/or Cookie Policy (please see below for
more information on this). A hidden Privacy Policy would not suffice.
Explicit Consent involves the user knowingly indicating their consent
(e.g. checking a box).
In practice, explicit consent is the safest means of ensuring
compliance with the EU data protection requirements. Whether this is
needed will depend upon the nature of the business and any
regulatory concerns surrounding this.
Providing Information: Website owners/hosts are required to
provide clear and comprehensive information about the cookies used
on a website. This should include information about any third parties
which host cookies on their websites; any transfers to third parties;
and the owner/host’s use of the data collected by the website.
The easiest way to provide this information is through a Cookie Policy
linked to the website’s Privacy Policy.
When do EU laws apply?
Each of the EU member states has its own data protection laws,
however these are all governed by the same set of overarching
principles. The laws of a particular member state will apply in the
following circumstances:
2. Cookies and Data Processing Correct at time of publication: November 2016
DP5 Disclaimer: This note does not contain a full statement of the law and it does not constitute legal
advice. Please seek legal advice if you have any questions about the information set out above.
© Oury Clark 2016
Contact@
ouryclark.com
Or see our website
for more details
act@
ouryclark.com
1. The website owner is ‘established’ (please see below) within
that member state and the owner collects and processes
personal data within the context of that establishment; or
2. The website owner is not established within a member state,
but is established in a place where international public law
dictates that the laws of that member state apply (this
generally only applies to government agencies and
embassies so is unlikely to be applicable to most businesses);
or
3. The website owner is not established within that member
state but uses ‘equipment’ (please see below) situated in a
member state.
A business is considered to be established in a member state if they
have human and technical resources permanently available in that
member state (e.g. a physical presence).
In the context of the above, equipment does not necessarily have to
be owned by the business. Furthermore, when a website places
cookies on a user’s device, that device technically becomes
equipment used by the website owner to collect data. If the cookie is
saved on a hard drive in a member state, the website host will be
subject to EU laws.
In practice it is very difficult for the EU authorities to enforce data
protection laws against businesses which do not have an EU
presence, however, businesses should be aware that they will be
subject to these laws whenever they process the data of an individual
resident in an EU member state and the relevant EU IP registrars do
have powers to issue fines or demand changes made to non-
compliant websites.
Whilst the above requirements are not compulsory in countries
outside the EU, many other jurisdictions recommend that website
operators obtain consent or, as a minimum, provide users with details
of cookies in their Privacy Policy.
How to ensure your business complies with its cookie
obligations
The best way to ensure compliance is through a Cookie Policy and a
roll-down notification statement that appears when users first access
the website.
A Cookie Policy must be noted prior to full use of the website and
should include the following information:
The type of information collected through cookies.
How long information will be held.
Whether any information will be shared with third parties.
Whether any information will be transferred out of the EEA.
The purpose of each type of cookie.
How to opt out of the use of cookies (including confirmation of
how this may impact on the user experience of the website).
The ICO recommend that businesses undertake regular cookie audits
to identify the cookies which are used by the website and the
characteristic of each cookie.
Oury Clark can review your current policies and provide advice on
updates and implementation in order to ensure that you are compliant
with data protection laws in both the UK and the EU. We can also
provide advice on the process needed to conduct a cookie audit.
If you require any further information or assistance about your
obligations in connection with cookies or data protection more
generally then please contact Ben Robson at
ben.robson@ocsolicitors.com or on +44 (0)207 067 4300.
Oury Clark Solicitors
10 John Street
London
WC1N 2EB
T: +44 (0) 207 067 4300