Does your downloadable cookie policy comply fully with the The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (also known as the EU cookie law)?
Alasdair Taylor's Answer
Under Regulation 6(1) of The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the 2011 Regulations, “a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user” unless certain requirements are met.
One of those requirements was that websites should provide users with “clear and comprehensive information about the purposes of the storage of, or access to, that information”. In other words, websites which use cookies should provide users with information about the purposes for which the cookies are used. This requirement is in Regulation 6(2)(a).
The change introduced by the 2011 Regulations concerned consent. In addition to providing clear and comprehensive information about the purposes for which cookies are used, websites must since May 2011 and subject to certain exceptions get consent from users for the use of cookies. This requirement is in 6(2)(b) as amended.
The question, I think, is whether using our cookies policy template will help you to comply with either of these requirements (it doesn’t make much sense to say that the template document complies or does not).
The answer to this question is that used properly, the cookies policy will help you to comply with the information requirements in Regulation 6(1)(a), but it will not on its own satisfy the consent requirements of Regulation 6(2)(b). The template does say at the top “by using our website, you agree to our use of cookies in accordance with this policy” (or words to that effect), but that on its own won’t generate a satisfactory consent for the purposes of the Regulations.
There are many different views upon what should be done to gain consent, and there is little certainty. The ICO has indicated that intrusive cookies will be looked at more carefully than non-intrusive cookies, although the Regulations don’t say anything about different types of cookies requiring different types of consent. Many website operators have taken the view that pop-ups with are required to gain consent. Other sites (such as this one) simply have a short cookies statement somewhere on each page, with a link through to a cookies policy or similar document.
I hope this is helpful.