top of page

Do You Have A Website? COOKIES: Why Has The Law Changed And How?

OPT introduces: Yvonne Morris a  Commercial Law Consultant. We think that as well as knowing how to use your website as a marketing tool, you should also be aware of the legalities centred around actually having one!  Over the next three days, Yvonne explains to us all about Cookies and the law.  This information is vital to all who own a website, or who is thinking of getting one! Over to Yvonne….


The 2002 European Directive upon which the 2003 UK Privacy and Electronic Communications Regulations were based has been revised by a 2009 EU Directive. This required the UK to implement such revisions in to its own law which it introduced on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “Regs”). The UK Information Commissioner’s Office (ICO) announced a one-year grace period thereby delaying enforcement of the Regs which expired on 26 May of 2012.

The Regs are designed to protect the privacy of information (whether the information is personally identifiable or not) and personal data which is stored or made accessible in a user’s device. The aim of the law is to prevent information being stored on devices and used to recognise the user of that device without the owner’s knowledge and consent.


Both the older 2003 regulations and the Regs require websites to provide visitors with clear and comprehensive information about how and why cookies are being used on a website. However, with regards to the second requirement, the 2003 regulations required websites to give users the ability to ‘opt-out’ of cookies being stored on their devices, whereas, the Regs now include a requirement to obtain consent for cookies and similar technologies. This means that cookies can no longer be stored on a user’s device unless the user specifically consents in advance. See Article 3 of 3 for more on consent.


There are exceptions to the rule, for example, unless a website solely uses cookies that fall in to the “strictly necessary” category in accordance with the 4 categories, based on the ICC UK cookie guide , a website is legally bound to abide by the new requirements. For example, using cookies to remember items in an online shopping basket for the purposes of security in online banking or to help load webpages faster is regarded as “strictly necessary” and therefore does not require consent. All other common cookie usage falls in to the other three categories which all require consent of Performance; Functionality; and, Profile and Targeting). See Article 2 of 3 for further discussion on “Cookie Categories”.


It is unclear how the ICO will treat breaches of the law and how exactly it will go about enforcing compliance but it is likely that only serious breaches will lead to hefty fines of up to £500,000. However, it wouldn’t be unheard of for a regulatory authority to treat persistent breaches in a similar way. The ICO does have the power to commit an organisation to take steps towards compliance and to compel compliance (failure to do so would be a criminal offence).


Regardless of the implementation of the Regs, there are existing powers in current legislation to deal with unfair trade practices under the Consumer Protection from Unfair Trading Regulations 2008 (“CPUTRs”) which is a set of UK regulations to protect consumers from unfair, misleading or aggressive marketing practices. Being technology neutral, they are not specific to the digital and online world, however, any practice used online which is deemed unfair, misleading or aggressive will fall foul of the CPUTRs which give the duty to regulators to act when a consumer is deceived about the presence of cookies, even when the information they have been given is correct. In theory, the Office of Fair Trading (OFT) has the duty to enforce the CPUTRs and individuals (not just businesses) who breach the law can be punished by up to two years in prison or a hefty fine.

If you have website, Yvonne Morris Limited can help you to respond immediately to the Regs by:

(1)   Assisting you with updating your other online terms such as your Terms of Trade or Purchase Policy as well as your Privacy Policy;

(2)   Providing you with suggested wording for a cookie warning message to be placed on your site as well as a Cookie Policy; and,

(3)   Providing you with further advice as required by you.

Contact: Yvonne at

1 view0 comments

Recent Posts

See All
bottom of page