In May 2011 a change in the Privacy and Electronic Communications Regulations 2003 came into force in relation to the use of website cookies. Instead of website owners providing information about cookie use in their privacy policies, the new law places an obligation on website owners to obtain “explicit (or active) consent” from website visitors before using cookies.
There is an exemption from the requirement to get explicit consent where the cookie is "strictly necessary" in order for a website owner to provide a service "explicitly requested" by the user. This exemption is designed to cover things such as online shopping baskets (where a cookie is required to remember information across several website pages) and registered user areas (where a user is required to log in for security purposes), but not where a user is simply visiting a website for information.
The Information Commissioner's Office (ICO), acknowledging the difficulty that the change in law would cause, gave UK website owners a 12 month grace period to take steps to comply with the new law. As you may have heard in recent news coverage, this grace period came to an end on 26 May 2012.
So what has changed for website owners post-26 May? The ICO said prior to the deadline that it would not take immediate enforcement action against non-compliant websites after the 26 May, so long as the website owner could show that it is taking steps to become compliant. Therefore, in practice not much has changed and the big 'doomsday' scenario which we were originally being warned about has not occurred; people are still using websites without being harassed by endless pop-ups.
You will however probably have seen different types of banners, roll-over links and cookie policies on various high profile websites, which highlight which cookies are being used and how. While this approach is not strictly compliant with the letter of the law, it does show that website owners are '”taking steps” towards compliance and are being more open with users about the types of cookies being used on their websites, which was the original aim of the European Commission. It is also the approach that most website owners seem to have taken seeking safety in numbers, while they wait for someone to come up with a compliant alternative which does not effect the user experience.
This is an area of law which is likely to change and develop rapidly over the next few months, so we are recommending that you watch this space for further updates!
The ICO's guidance on the new requirements is available through this link.