The Information Commissioner's Office (ICO) has threatened businesses with formal enforcement action if they fail to meet a deadline to take steps to comply with the so-called "cookie law".

The new rules requiring website operators to obtain consent from site visitors to the use of cookies was brought in under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. Although the new law came into force in May 2011, the Information Commissioner declared that there would be a 12 month grace period during which strict enforcement action would not be taken. Since that period expired in May 2012 the ICO has written to seventy-five of the UK's most frequently visited websites to check on the measures they are taking to ensure compliance. Those sites that have failed to respond have been set a deadline for their sites to conform to the law, and have been warned that enforcement notices will follow if they fail to do so. Any business which fails to act on the enforcement notice will be at risk of criminal prosecution.

A cookie is a small text file used by a website to collect information about internet users, such as their names, addresses, e-mail details, passwords and user preferences. The Regulations, designed to protect the privacy of internet users, state that a user's consent to the use of cookies must be "freely given, specific and informed" and that they must be provided with clear and comprehensive information about the purposes of information which will be stored. The ICO have been running an education campaign around key compliance issues including the thorny question of implied consent, (whereby a user's continued use of a website indicates their acceptance of the use of cookies).

However, in a recent blog, the ICO made it clear that businesses should now be aware of the law and that the education programme would increasingly be balanced by enforcement measures. Under the regulations, the ICO has the power to issue a fine of up to £500,000 to businesses which fail to comply with the regulations, although it appears more likely that the ICO will issue enforcement notices than fines.

Internet users can report concerns about specific websites by use of the ICO's "online cookie concern reporting tool." The ICO have had more than 380 such notifications to date and will issue a progress report of its response to those concerns in November.

Given this shift from education to an enforcement focus, businesses that have not already done so would be well advised to review their cookie use and ensure that appropriate information and consent mechanisms are included on their websites.