Guidance on complying with the new law
What do you need to be doing now?
The ICO advises that you take the following steps to prepare for this change in the law:
- Carry out an audit: What type of cookies are you using? How are you using them? Check which cookies are necessary and which might require a user’s consent. You also need to consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom;
Consequences of not complying
The ICO has recognised that three weeks (the time between publishing the guidance to the law and it actually coming into force) is not a sufficient period for you to comply with the law. The ICO guidance on enforcement therefore states that there is a lead-in period of 12 months for you to develop ways to ensure compliance with the new rules, during which the ICO will not penalise you for non-compliance. During this period you need to have looked at the cookies your organisation uses and, where necessary, put in place steps to obtain users’ consent. If the ICO believes you are not taking appropriate steps in this period, it will ask you to explain what you are doing to be in a position to comply by May 2012. From May 2012 the ICO will handle complaints about websites in the normal manner.
The ICO has new powers to enforce this law. Serious breaches of the Regulations may attract monetary penalties of up to £500,000. A serious breach is defined as a serious contravention of the Regulations likely to cause substantial damage or distress. Such contravention must have been deliberate, or the person responsible must have known/ought to have known that a contravention would occur and then failed to have taken reasonable steps to prevent it. The ICO has committed to producing further guidance on how it intends to use these powers; it is likely that this guidance will be published in October 2011. This date, like the May 2012 deadline, may seem a long way off. However, don’t be lulled into a false sense of security: the ICO has made it clear that organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012 and the ICO may start to gather evidence of non-compliance prior to this date. If you require further information on how to go about undertaking an audit, please contact us.
The new law the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 can be found here.
The ICO’s guidance on complying with the new law can be found here.
The ICO’s guidance on enforcing the new law can be found here.
For further information on the differences between the old and new law, a previous Law Now can be found here: Cookie Consent: Opt-In or Opt-Out?