Cookies are files or pieces of information that may be stored on your computer (or other internet enabled devices, such as a smartphone or tablet) when you visit a Unilever Site. A cookie will usually contain the name of the website from which the cookie has come from, the "lifetime" of the cookie (i.e. how long it will remain on your device), and a value, which is usually a randomly generated unique number.

Our guidance includes additional information about implied consent:

• Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
• If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Confidentiality of communications and spyware

It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.

Responsibility for providing the information and obtaining consent

The Regulations do not define who should be responsible for providing the information and obtaining consent. Where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for complying with this Regulation.

Exemptions from the right to refuse a cookie

The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:

• for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
• where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.

In defining an 'information society service' the Electronic Commerce (EC Directive) Regulations 2002 refer to 'any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service'.

The term 'strictly necessary' means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the service provider might be subject to, for example, the security requirements of the seventh data protection principle.

Where the use of a cookie type device is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.