The Information Commissioner’s Office (“ICO”) in the United Kingdom is now stepping up its enforcement of the EU Cookie Directive. Under the Cookie Directive, website operators are obligated to obtain informed consent from European residents before placing most cookies, including web beacons and other online technologies, on a visitor’s computer. Although the law has been compulsory in the UK since May of this year, not many website operators have complied. In response, the ICO’s group manager for business and industry has announced that the ICO will begin stepping up its enforcement of the Directive.
Under the Cookie Directive, a website operator must obtain informed consent before a cookie or other tracking technology is placed on a European visitor’s computer. The Directive makes a very narrow exception for those cookies that are necessary to provide the service offered on a site. In addition to requiring consent, visitors must also be given the option to access their data to correct it or delete it and the data should only be used for those purposes disclosed in the notice and consent.
The ICO generally enforces the Cookie Directive in one of two ways. First, the ICO educates the public about the Directive and its requirements. Second, the ICO enforces the Directive through notices and potential criminal procedures where a company refuses to comply. Although the ICO is able to fine companies as much as £500,000 (approximately $800,000), to date, in many instances a company can expect to receive a notice that it is failing to comply and be directed to bring its website into compliance to avoid an enforcement action. The ICO has largely depended on consumers to notify them of websites that have failed to comply. Now, having apparently run out of patience, the ICO is taking the position that companies should be aware of the Cookie Directive and should know to comply with it. Fines and additional enforcement actions may be on the horizon.
All companies with an international presence, especially those attracting visitors from the UK, should be aware of the Cookie Directive and the ICO’s new approach to compliance. While compliance may take some time and restructuring of a website, failure to comply may result in large penalties.