< Back

Share |

It's not about keeping things private - Online privacy and cookie policies

May 2013

As an ever increasing number of us are moving various aspects of our lives online, we are becoming more aware and concerned about the protection of our personal information online and how we can exercise control and discretion over the way that information is used by those organisations we provide it to.

As a consequence, making people aware of how their information is being used is a vital part of ensuring that users understand and are comfortable with what is being done with that information.

Legal book and mallet

The Data Protection Act 1998 (DPA) and the recent developments to the cookie regime under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations) set out numerous rights for individuals in respect of their personal data and place obligations on website owners to convey certain information to their users. The challenges presented by conducting business online mean that is it more difficult to ensure these rights and obligations are satisfied.  

Why do we need online privacy and cookie policies?

Any personal information which is collected by an organisation (whether through a website or otherwise) must be processed fairly and lawfully which, under the DPA, includes informing individuals about how such information is obtained, used or disclosed. This must include telling users about:

  • the identity of the organisation in control of the processing;
  • the purpose, or purposes, for which the information will be processed;
  • any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair.

There are also further requirements under the Regulations in respect of cookies.  Website owners must ensure that users are informed about the existence of cookies, that they know what each category of cookie is doing and that they provide consent to having a cookie placed on their device.

Given the challenges of presenting this information within an online environment, use of both a privacy and cookie policy (or combined policy) is essential in order to effectively communicate to users what is being done with their information. By having an appropriately worded privacy policy, a website operator will be ensuring that visitors have given consent to the business to build a customer/contact base and utilise its services.

Aside from complying with the legal technicalities, having a privacy policy clearly displayed on a website ensures peace of mind and transparency to visitors in respect of how their information is used on the site. The recent furore around Google's online privacy policy serves to demonstrate that you can't go far wrong if you remain upfront and clear with users, explaining exactly what you are doing.  

Making sure people understand – what information do I need to include?

Privacy policies

Notepad and penConsideration should be given to the types of individuals who are going to be using the website or services. More often than not, where consumers are involved, simplicity is the most important factor to ensure users can understand what they are being told.

As an absolute minimum, the following information should be included in a privacy policy:

  • details of the entity which is collecting and processing personal information;
  • what the purpose or intention is for collecting the personal information; and
  • if applicable, whether any personal information will be shared with or disclosed to any third parties.

Guidance from the Information Commissioner's Office also recommends that in certain circumstances you may wish to go further than this and tell people:

  • if you intend to pass information on to third parties, who those organisations are and how they will use such information;
  • how long you or other organisations intend to keep the information for;
  • the consequences of not providing information – for example being unable to provide services to a user or an inability to use a website as intended; and
  • what steps are being taken to ensure the security of personal information.

Cookie policies

CookieThe most important consideration in respect of a cookie policy is to consider your audience. The level of explanation and detail of information which has to be provided about the cookies will differ depending on whether you are dealing with an average online shopper or an experienced web developer.

A cookie policy should paint a clear and comprehensive picture about each type of cookie used on the site, with a description of why it is needed and what it is used for. In particular, users should be informed about the:

  • name of the cookie;
  • purpose of its use;
  • type of cookie (strictly necessary, performance, functionality or a targeting or advertising cookie); and
  • duration for which the cookie is set on the user’s device (that is, the life of the cookie before it is erased from a device).

The policy should also inform website users about how to disable the cookies and manage their cookie preferences through their browsers or otherwise.

In addition to this, website owners should use the cookies policy as part of a layered approach to achieving compliance with their obligations under the Regulations in respect of consent. Providers may choose to display a prominent link to the cookie policy from an obvious place on their homepage (such as the header), display a banner introducing the use of cookies, or implement a pop-up/splash screen window providing a means to obtain consent.

So what should you be doing?

Audit and implement

ChecklistWebsite owners should conduct an audit of their website to ascertain what personal data is collected and what cookies are set. Website owners then need to gain an understanding of why they collect such data and how it is used. This information should then be fed into the privacy and cookie policies.

Having in place a clear and robust online privacy notice will help minimise the potential risks of carrying out business online. The overriding objective of the privacy and cookie policies is that of transparency – it's not about keeping things private.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Privacy definition
Emma Bollans

Emma Bollans      


Emma looks at why online privacy and cookie policies are so important and what they should do.

"Having in place a clear and robust online privacy notice will help minimise the potential risks of carrying out business online."