When new EU law requiring website owners to seek consent before using cookies (text files widely used by websites to store information about users) came into force on 26 May 2011, only two weeks after the Information Commissioner’s Office had issued its guidance to organisations on how to comply with the new rules, it left the vast majority of website owners theoretically exposed to enforcement action for non-compliance.

In a welcome recognition of the significant challenges faced by organisations in restructuring their websites, the ICO has now announced a 12 month grace period for organisations to achieve legal compliance.

What must organisations do within this 12 month period? The ICO advises organisations to take the following steps:-

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

It is the third step, obtaining consent, in a way which meets legal requirements without intruding on the website’s user experience, which is likely to present the biggest practical challenge and require both legal and web developer input. Consent will require a positive indication from users that they consent to the website’s use of cookies and current browser cookie settings are not deemed sufficient by the ICO to satisfy these requirements.

The ICO has already adapted its own website to include a “header” bar above the main text of the website incorporating a tick box for users to indicate their acceptance of cookies from its website. However, it also notes in its guidance that there will be a variety of technical means by which consent may be signified and that it is for website owners to decide on what is the appropriate means of obtaining consent for their site, having carried out the assessments suggested at 1 and 2 above.