For most EU member countries, the formal implementation date for the much-publicized cookie consent provisions of the 2002 EU Directive on Privacy and Electronic Communications came and went without a change to their respective national laws. Although all 27 member countries of the EU were supposed to implement consent provisions into their national laws by May 25, 2011, only Estonia, Finland, and the UK met that deadline by implementing some form of consent into local law. France, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Malta, and Sweden subsequently followed suit (after the deadline). The remaining member countries remain further behind on the path to implementation.
Even with a minority of EU states complying with the amended Directive, those countries that have taken action have failed to recognize a uniform means of obtaining consent from users, leaving companies who operate multi-jurisdictional websites without a a clear standard to implement
The UK’s Approach
The Guidance suggests several different ways for businesses to obtain consent. Consistent with the Guidance’s desire for individual businesses to determine the most appropriate means of consent for their website, none of these methods is recommended above another. The Guidance cites the following possibilities:
- Popups and similar techniques: The ICO calls this an “easy option to achieve compliance” and a “useful way of informing users of the techniques you use,” but acknowledges that it may spoil the experience of a consumer on a website that uses several cookies.
- Settings-led consent: Consent may be obtained when a consumer makes a choice about how they want the site to work, such as when a consumer agrees to certain settings they have chosen.
- Feature-led consent: Consent may also be obtained when a user chooses to use a particular feature of a website, such as watching a video clip.
- Functional uses: Webpages can place text, in the footer or header of a webpage, that is highlighted or permits scrolling when setting a cookie on the consumer’s device.
The Guidance acknowledges that third party consent is the “most challenging area in which to achieve compliance,” and that they are continuing to work with industry and other European authorities to develop solutions. At present time, the Guidance does favorably note the use of “initiatives” that “allow  users to make informed choices about what is stored on their device,” but also keeps open the possibility of supplementing this advice with further examples.
The press release accompanying the Guidance also noted a one-year grace period on enforcement of the consent provisions, to May 26, 2012.