Previously it was sufficient for website owners to provide the user with clear and comprehensive information regarding the use of the cookie and give him or her the opportunity to opt-out of such use. Under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the obligation to provide the information remains, but unless the cookie is 'strictly necessary' for a service requested by the user, it is necessary to obtain the user’s explicit consent to the use of the cookie. It appears that the exception of what is 'strictly necessary' will be narrowly construed by the ICO.
There is some uncertainty about the changes website owners should implement to comply with the new law.
The Information Commissioner's Office (ICO), which is responsible for monitoring and enforcing the legislation, acknowledges this uncertainty and has allowed a lead in period of 12 months for companies to fully comply with the requirements. After May 2012, the ICO may take enforcement action for breach of regulations, which include undertaking audits and, depending on the severity of the breach, imposing financial penalties.
However, the ICO has warned that the regulations cannot simply be ignored over the next 12 months. If it appears that a company is not taking adequate steps to comply with the regulations, the Information Commissioner may issue a warning as to future enforcement or ask the organisation to explain the steps it is taking to ensure it is in a position to comply by May 2012.
In the meantime, the ICO recommends website owners take the following steps:
- check what types of cookies are used on their websites and how they are used;
- assess how intrusive the use of the cookie is;
- decide what solution is best in the circumstances to obtain the necessary consent.
There is no single solution that is demanded by the regulations; it is for companies to decide which solution is best for their circumstances. Such solutions could include the use of pop-ups when a user first visits a website or an amendment to the terms and conditions (although such an amendment must be brought to the attention of and accepted by the user). The main problem is that such solutions are likely to have a negative impact on the user’s experience of the website.