The Information Commissioner’s Office (‘the ICO’) has taken part in a study along with eight other regulators into the use of cookies. A cookie is a small file which is downloaded on to a user’s computer or smartphone when they access a website. Cookies are used to monitor the behaviour of users. The study that the ICO conducted was part of an international analysis of 16,555 cookies. They found that:
- The average website places 34 cookies on your device to track your behaviour during your first visit to the site. In the UK this figure is even higher, with on average 44 cookies tracking you the first time you visit a site. This was the highest figure for any country in the study.
- 70% of the cookies were revealed to be third party cookies. Third party cookies are set by a site other than the one a visitor is using. If a website shows content from a third party site, the third party site can use their own cookies to track user behaviour.
- 86% of the cookies were persistent, meaning they stayed on a person’s device after the person had left the site.
- The average cookie expires after one or two years but three cookies in the study were set to last until 7984 years until the year 9999.
- 74% of websites in Europe did not tell users anything at all about the cookies they were using or the information they were collecting.
Under UK law (and similar laws across the EU) if you want to use cookies on your site you must:
- Alert people to the fact cookies are being used.
- Advise them on the information the cookies are collecting.
- Obtain consent from the user for all of the cookies being used.
If cookies are processing personal data then the Data Protection Act 1998 (‘DPA 1998’) comes into play. If the DPA 1998 applies then companies cannot collect excessive information through cookies and cannot keep the information for longer than is necessary. If they breach the DPA 1998 or the Privacy and Electronic Communications Regulations 2003 and 2011 then the company can be fined up to £500,000 or even prosecuted.
Cordery provide a set of written guides and a template cookies policy and notices to help you comply with the law. If you’d like more details please get in touch. There is more information on Cordery’s data protection work here and details of some recent e-commerce work here.
For more information please contact Jonathan Armstrong who is a lawyer with Cordery in London where his focus is on compliance issues.
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com