The UK implemented the revised “Cookies” Directive (2002/58/EC) earlier this year with the Privacy and Electronic Communications (EC Directive) Amendment Regulations 2011 (the “Regulations”). This means that website operators are now required to ensure that users are informed and provide their consent to the use of cookies stored on their devices (including, laptops, desktops and mobile devices).  

We have mentioned cookies in previous editions of the Newsletter, but to recap they are small text files that are stored on a user’s device when visiting a website. The cookie assists the website in recognising the user’s device and delivering a more tailored and user-friendly experience.  

To help businesses the Information Commissioner’s Office (ICO) has published guidance relating to the Regulations recommending that businesses take the following actions immediately:

  • review and list the cookies and similar technologies (such as flash cookies, browser cookies, etc) currently used on its website (including any third party cookies used) to assess which ones are strictly necessary to provide users with web-based services and those which are not;
  • consider how intrusive its use of cookies are and talk to third party cookie providers to agree a suitable approach to obtain users consent. The ICO has stated that “The more privacy intrusive [the] activity, the more priority [a business] will need to give to getting meaningful consent”;
  • begin to create and implement appropriate and tailored solutions to gain users’ consent.  

Under the Regulations the ICO also has the power to impose monetary penalties of up to £500,000 where serious breaches of the Regulations have been committed.  

Although the Regulations are now in force, the ICO has stated that formal enforcement action is unlikely to be taken before May 2012. However, by that date businesses are expected to have reviewed their cookies practices and to have implemented a practical and effective strategy to obtain users’ consent.