The blog from Wisetiger.
Insight, ideas and informed comment. We've earned our stripes...
Search stripey
Type & hit enter to search
UK Privacy and Electronic Communications Regulations 2003 Fortune Cookies

What’s in the future for cookies?

Or, what do the changes in the U.K. Privacy and Electronic Communications Regulations 2003 mean to me?

The key thing is not to worry unduly. Whilst the changes in the regulations, effective from the 26th of May 2011, require you to be conscious about how you use cookies on your website to service your users or customers, there are exceptions that are little understood.

Information Commisioners Office Advice

The U.K. Information Commissioner’s Office (ICO) has issued advice to businesses and organisation to help ensure compliance to the new EU privacy directive.  This advice is, in effect, a guide to getting compliant. The ICO plan to issue further guidance once the regulations are implemented.

The new rules which revise the U.K. Privacy and Electronic Communications Regulations 2003 (PECR) apply to cookies, including flash cookies, as well as other technologies that store or gain access to information on users computer (or devices like iPhones).  From the 26th, websites are required to gain explicit consent to store the cookie on the users computer (or device). Previously websites only needed to explain how and where cookies were to be used in it’s privacy policy and provide an opt-out capability.


There is a little known exception to the regulation that allows cookies to be used without consent if what you are doing is ‘strictly necessary’ for a service requested by the user of your website. While the ICO suggest that this exception should be considered to be a ‘narrow’ one it does suggest that examples would include shopping activities. i.e. “to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they have chosen on a previous page. You would not need to get consent for this type of activity.”

What to do next

ICO has urged businesses and organisations to:

  1. “check what type of cookies and similar technologies you use and how you use them”
  2. “assess how intrusive your use of cookies is”; and
  3. “decide what solution to obtain consent will be best in your circumstances.”

The key step in the process is No.2. How intrusive is your use of cookies? It goes on to say “Some of the things you do will have no privacy impact at all and may even help users keep their information safe.  Other technologies will simply allow you to improve your website based on information such as which links are used most frequently or which pages get fewest unique views.”  The ICO suggests that cookies involved in creating detailed profiles of an individuals browsing activity are more affected by the regulation changes.  Indeed I would suggest that cookies that collect user data are the ones that need action.

The ICO also discusses various options for obtaining user consent through the use of pop-ups, terms and conditions, and similar solutions. “What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent,” concluded the ICO.

Where can I find out more?

You can read the full ICO guidance here. The ICO may provide further guidance as the regulations roll out and are implemented; “We will be keeping the situation under review and will consider more detailed advice if appropriate in future.”

WiseTiger will keep abreast of this and will update you here, so keep coming back 🙂


Andy Shaw

Start the conversation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.