UK law governing how websites use cookies has changed as of 26 May 2011. This is to comply with a change in the law affecting all EU Member States. Businesses have less than 12 months to take steps to ensure their websites are in compliance.

What is changing?

Under the previous regime, website visitors had to be provided with clear and comprehensive information about the way in which a website installed information, or accessed stored information, on their computers. In other words, how a website used cookies. Visitors also had to be offered the right to refuse cookies.

However, from 26 May 2011, rather than being offered the right to refuse cookies, visitors have to provide explicit consent to allow websites to install a cookie on the user's computer. The one important exception to this is cookies that are strictly necessary for how the website operates, for which consent will still not be required. This category is defined narrowly, but includes cookies that track the contents of online shopping baskets.

Who is affected?

The new consent requirements will apply to businesses established within the EU, as well as to businesses using equipment situated within the EU. Given that the EU's Article 29 Data Protection Working Party has concluded that "using equipment" includes the installation of cookies on a user's computer, this may be of concern to businesses based outside the EU. It extends the application of the new regime to, for example, a company registered and based in the US operating servers based in the US, but whose websites are configured to automatically install cookies. If such a company's website was visited by an individual based in the UK and a cookie is installed without that individual's consent, this would constitute infringement of the new laws.

Each EU Member State has the freedom to choose how it implements the changes. The remainder of this client advisory focuses on the UK only.

How do website operators comply with the changes in the UK?

The UK government has published guidance that summarises the level of response expected in three steps:

  1. Check what type of cookies and similar technologies you use and how you use them.   
  2. Assess how intrusive your use of cookies is.
  3. Decide what methodology to obtain consent will be best in your circumstances.  

Further guidance on what these solutions might be is suggested under the following headings:

  • Pop ups and similar techniques  
  • Terms and conditions  
  • Settings-led consent   
  • Feature-led consent   
  • Functional uses  
  • Third party cookies  

In short, there is no prescriptive solution. The UK government ultimately expects a solution to be offered by browser manufacturers and has set up a working group made up of representatives from browser manufacturers to look at the issue. An ideal scenario, it would seem, is that browsers are made sufficiently sophisticated so that users can set them to accept some cookies and reject others, without having to think about this for every website they visit (rather than the 'accept all' or 'reject all' options currently offered).

Until then, businesses should satisfy themselves that all three steps outlined in the government guidance are taken and then look at which solution offers the least intrusive (whilst effective) way of asking users for their consent. EAPD is working with a number of clients on some practical solutions to these issues.

What are the consequences for non-compliance?

In the UK, the Information Commissioners Office (ICO) will be responsible for enforcement. The ICO has power to levy hefty fines (up to £500,000) for non-compliance, as well as take a range of other enforcement measures. Individuals who have suffered damage can also commence civil proceedings.

That said, under its enforcement guidance published on 25 May 2011, the ICO has stated that, while it cannot exempt organisations from the new requirements, it will allow a "lead in period", which will last until May 2012, to allow organisations time comply with the new rules before it will use its enforcement powers. Businesses are expected to use this lead in period to take active steps to achieve compliance.

Perhaps the biggest short term consequence for non-compliance may be the affect on a website’s reputation, given that privacy and data protection remain very popular topics in the UK.

Where can I find out more?

The UK ICO Guidance on the new law can be found here

The UK implementing legislation, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (specifically, Regulation 6) can be found here.

The UK ICO Guidance on its enforcement of the new rules can be found here.