New EU “cookies” law could put small businesses in hot water

Small businesses are being warned that their websites could fall foul of new EU rules governing the use of ‘cookies’ unless urgent alterations are made.

Currently, many websites use cookies to allow users to navigate their pages efficiently, performing tasks such as remembering log-in details, browsing history and ordering information.

Analytics software which monitors website usage, along with third party advertising such as Google’s AdSense, also generally functions using cookies.

Cookies work by installing a small piece of code on to a site user’s computer and this code allows the site to remember and recognise visitors. However, recent updates to the EU’s Privacy and Electronic Communications Regulations mean that it is now technically illegal for UK websites to do this without first seeking the user’s consent.

Companies which are found to have fallen foul of the new law, introduced on May 26, face a fine of up to £500,000. As a result, I urge business owners to make sure their websites comply.

Thankfully, the body tasked with policing the regulations – the Information Commissioners’ Office (ICO) – has said that, if it receives a complaint about a website using cookies without first gaining consent, is will give the site’s owner ‘up to 12 months’ to make alterations before prosecuting.

However, I believe companies should err on the side of caution and make any necessary changes to their websites as soon as possible in order to avoid potential problems.

Previously, the rules surrounding the use of cookies meant that you were obliged to explain somewhere on your website how you used them and how visitors could stop your site from doing so, but that was it.

Now, you won’t be able to put cookies on people’s computers without them consciously giving their consent for you to do so, even if it means your website might not work properly as a result. A business with a simple, non-interactive, two or three-page site shouldn’t be affected but if your website has a shopping basket function, remembers when a user has logged in, carries third party advertising or uses an analytics package, it is likely that it uses cookies to do so.

Thankfully, the ICO has said it will give businesses up to a year to ‘get their house in order’ if it receives a complaint about them. But with the possibility of a £500,000 fine for those deemed to be flouting the law, it is advisable for any business owners who think they may be affected to assess their use of cookies now and make any changes necessary.

What a company will need to do to comply with the new legislation will depend entirely on their website.

There is also still a considerable degree of ambiguity surrounding how the rules will work in practice and the Government is still discussing the legislation with browser manufacturers – websites may soon be able to rely on the user’s browser settings to indicate consent, but this is not currently possible.

However, the ICO has put online its own guidance on the issue. It suggests a three-stage approach:

1 – Check what type of cookies you use – if any
2 – Assess how intrusive they are
3 – Decide how to best obtain consent from users. This could include a pop-up message, offering an opt-in option when someone signs up for your service, or letting them make choices about how they use your site. Small businesses may have to ask their web designers or developers for information and input on this.

Phil Orford joined the FPB in February 2008 as Chief Executive. Following a brief spell as a sales executive, Phil set up his first company in 1983 at the age of 21. In the years that followed, he was involved in a number of start-up companies, which eventually formed a small group employing more than 100 staff and which had a turnover in excess of £10m. In 2005, Phil left the group and set up a new business to assist small companies comply with environmental legislation through the use of Web-enabled apps and tools.