The deadline for compliance with the new "Cookie Law", requiring user consent for the use of cookies on websites is approaching on 26 May 2012. Websites using cookies or similar technologies need to consider their compliance strategy now.

In May 2011, the EU reforms to the ePrivacy Directive were implemented into UK law. One of the key changes to the existing law was a requirement for organisations to get consent from end users in order to use cookies on their websites. The UK regulator, the Information Commissioner, announced he would grant a 12 month enforcement moratorium to allow businesses to achieve compliance,( i.e. until 26 May 2012).

What is a Cookie?

At its simplest, a cookie is a string of data (usually letters and numbers) which, by being stored on a particular device accessing a website, functions as a unique identifier for it. Cookies are responsible for much of the website functionality that is both popular and taken for granted. For example, cookies will can save users the time and trouble of re-entering site preferences or delivery addresses every time they access a favourite site.

Cookies can be used for various (and sometimes multiple) purposes, but they can broadly be categorised as:

  • Targeting or advertising cookies –these might be used to deliver targeted advertising to users based on their previous browsing habits
  • Functionality cookies –these might be used to recognise a user when he or she returns to a website
  • Performance cookies –these might be used to monitor traffic across different pages of a website to report on visitor numbers and popular pages
  • Strictly necessary cookies – these include cookies that enable users to log into secure areas of a website or use a shopping cart

What does the "Cookie Law" say?

The rules relating to cookies are contained in the UK Privacy and Electronic Communications (EC Directive) Regulations 2003. Since 2003, websites using cookies and similar technologies have been required to provide users with clear and comprehensive information about the use of cookies. This requirement has not changed. However, whereas the 2003 rules also required users to be given the opportunity to refuse cookies (i.e. an opt-out), the amended rules require users to have given their consent to use of the cookies (i.e. an opt-in). As before, an exemption applies in respect of a narrow category of strictly necessary cookies.

This amendment to the 2003 Regulations came into force in the UK on 26 May 2011. However, as mentioned above, at the time, the UK Information Commissioner granted a one year moratorium on enforcement of these new rules in order to allow organisations the opportunity to develop compliance strategies to address this challenging change. This moratorium on enforcement expires on 26 May 2012. From that date, the Information Commissioner's Office (the "ICO") may exercise a range of regulatory powers at its disposal in relation to breaches of the new rules, including Enforcement Notices, Information Notices, and fines (Monetary Penalty Notices) of up to £500,000.

Is there any guidance available?

During the "grace period", the ICO has been encouraging organisations to: (i) check which cookies and similar technologies are being used and how; (ii) assess how intrusive the use is and prioritise compliance efforts, starting with the most intrusive; and (iii) decide which solution for providing clear and comprehensive information and obtaining consent will be best in the circumstances. It has also produced some guidance and has committed to updating this guidance with practical illustrations as it becomes aware of examples of compliance solutions.

Other organisations such as the International Chamber of Commerce UK (the "ICC UK") have also been working with expert members (including this firm) on guidance to support organisations trying to meet the requirements of the new rules. The ICC UK published a cookie guide in April 2012 to help website operators obtain consent for the use of cookies in an open and transparent way whilst not disrupting the online environment and customer experience. The guide suggests a standard user notice for each of the four types of cookies described above, explaining what each cookie does. Encouraging websites to adopt common (or at least similar) language should make it easier for consumers as they move from site to site to understand why operators want to use cookies. The guide is not prescriptive and is designed to be adapted and used for all manner of compliance solutions, being a tool to support compliance rather than a guarantee of compliance.

Actions

Every website is unique and standard solutions are therefore unlikely to exist. However, UK organisations with a website using cookies or similar technologies should be considering their compliance strategy now. In addition, the new requirement originates from an EU Directive and so organisations with a European web presence will also need to have a compliance strategy covering the EU, where the rules are being implemented on a country by country basis. So far only a small number of Member States have implemented the rules, including France and the Netherlands.

Further Information

See our PLC Article from the May 2012 edition of PLC magazine for further details.

Click here for details of the ICC UK's cookie guide.

The ICO's guidance can be accessed here.