Retail surgery: In light of new EU regulations on the use of cookies, how can I avoid breaking the law?

UK and European data protection laws have historically required website operators to notify visitors about cookies served through their websites and to give visitors the ability to refuse those cookies. This ‘notice and opt out’ approach changed on May 26. The new rule requires website operators to obtain visitors’ consent to cookies, having first provided them with information about the use of cookies.

Eduardo Ustaran, partner and head of Field Fisher Waterhouse’s privacy and information law group, says the UK regulator’s guidance is unambiguous: “Website operators must act now to implement ways to obtain visitors’ consent to cookies.” So what steps should retailers take?

The first step, says Ustaran, is to assess what cookies are served through the site - this could be done via a cookie audit. You need to assess how intrusive the use of website cookies is. “The more intrusive the cookie, the greater the need for clear and meaningful consent,” he says.

Retailers need to provide full and transparent cookie disclosure, adds Ustaran. Disclosures should at least be set out in a privacy policy but to boost transparency, retailers could adopt a separate cookie policy or make more website disclosures.

An appropriate consent strategy is needed. Retailers should focus on ensuring compliance for the most privacy-intrusive cookies.

Lastly, keep abreast of browser developments. As browsing software evolves, users are expected to be given greater control over the cookies placed on their computers.