As of 26 May 2011 the law concerning the use of cookies has changed.  Cookies enable website owners to monitor users' browsing habits and profile them for marketing purposes.

Previously it was sufficient for website owners to provide the user with clear and comprehensive information regarding the use of the cookie and give him or her the opportunity to opt-out of such use. Under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the obligation to provide the information remains, but unless the cookie is 'strictly necessary' for a service requested by the user, it is necessary to obtain the user’s explicit consent to the use of the cookie. It appears that the exception of what is 'strictly necessary' will be narrowly construed by the ICO.

There is some uncertainty about the changes website owners should implement to comply with the new law.

It has been debated whether a user's browser settings could be a means of indicating consent. However, most browsers are not sophisticated enough to allow website users to consent to the use of cookies.

The Information Commissioner's Office (ICO), which is responsible for monitoring and enforcing the legislation, acknowledges this uncertainty and has allowed a lead in period of 12 months for companies to fully comply with the requirements. After May 2012, the ICO may take enforcement action for breach of regulations, which include undertaking audits and, depending on the severity of the breach, imposing financial penalties.

However, the ICO has warned that the regulations cannot simply be ignored over the next 12 months. If it appears that a company is not taking adequate steps to comply with the regulations, the Information Commissioner may issue a warning as to future enforcement or ask the organisation to explain the steps it is taking to ensure it is in a position to comply by May 2012.

In the meantime, the ICO recommends website owners take the following steps:

  • check what types of cookies are used on their websites and how they are used;
  • assess how intrusive the use of the cookie is;
  • decide what solution is best in the circumstances to obtain the necessary consent.

There is no single solution that is demanded by the regulations; it is for companies to decide which solution is best for their circumstances. Such solutions could include the use of pop-ups when a user first visits a website or an amendment to the terms and conditions (although such an amendment must be brought to the attention of and accepted by the user). The main problem is that such solutions are likely to have a negative impact on the user’s experience of the website.

If you have a website that uses cookies, or any similar technology for storing information, you should take note and consider ways of changing your site to take these regulations into account. Privacy policies will also need to be updated to provide that you will only collect and use information from cookies where express consent has been obtained.