New law regarding the use of cookies on websites was introduced in the UK in May last year.  Broadly speaking, the new law requires a website owner/operator to:

  • tell users that cookies are used on its website;
  • explain to users what the cookies are doing; and
  • obtain users’ explicit consent to store cookies on their device.

The Information Commissioner is responsible for enforcing this new law.  When the law originally came into force, the Information Commissioner recognised that businesses would need to be given a period of time to implement the changes required by the new law and so gave a 12 month grace period to allow organisation to implement the required changes.

This grace period is due to expire on 26 May 2012 and as of that date all organisations that own/operate a website will be expected to comply with the new law on cookies.

Even though the deadline is fast-approaching, a recent analysis by KPMG of 55 major UK organisations across UK private and public sectors found that 95% were still not in compliance with the new cookie law.

The most difficult part of the new law is in relation to the obtaining of explicit consent to the use of cookies from users of a website.  The Information Commissioner has issued guidance as to various methods by which such consent can be obtained, such as the use of pop ups or message bars, but no “best practice” approach has yet been developed. 

Complying with the new law may have a negative impact upon the look and feel of a website and may potentially make a website less user-friendly should a user refuse to give consent to some or all cookies used by a website.  However, website owners/operators should be aware that there are risks associated with failing to comply with the new law.

The Information Commissioner has a number of enforcement powers, such as the ability to serve enforcement notices (compelling an organisation to take certain action) and in extreme cases, monetary penalty notices (requiring an organisation to pay a fine).

The Information Commissioner has advised that he intends to take a proportionate approach to the enforcement of the new cookie law and it is therefore likely that he will show leniency towards those organisations that can demonstrate they are taking steps to become compliant, even if not yet fully compliant as at 26 May 2012.