Originally published 25 May 2012

This weekend, the 12 month grace period for compliance with the new EU cookie rule comes to an end.

On the 26th May last year the UK implemented new EU rules (Directive 2009/136/EC) regarding the use of internet text-files called 'cookies' through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. Prior to implementation, the Information Commissioner's Office ("ICO") published guidance on how businesses should implement the Regulations, and confirmed that it would give website owners 12 months to comply with the new law. As this 12 month period comes to an end the ICO has commented on its plans for enforcement.

Under the Regulations, website providers, that store cookies on website users' devices so that the website can recognise the user's device in future, now need to receive explicit consent from users prior to the use of cookies. The ICO guidance advises website operators to carry out a cookie audit to assess both the types of cookie used and how intrusive those cookies are. It also provides examples of possible methods of gaining consent. Many businesses, however, remain uncertain as to the best method to obtain consent and, as such, have yet to implement a procedure to allow them to gain consent.

In terms of enforcement the ICO has a range of options available including the ability to issue Information Notices, Enforcement Notices and can also request that businesses sign undertakings. Under the Regulations, the ICO also has the power to impose financial penalties of up to £500,000 for serious breaches.

The ICO has made various comments recently regarding their approach to enforcement. Their guidance on the matter confirms that "enforcement will be practical and proportionate" and that any formal action must be a "proportionate response to the issue it seeks to address".  With regard to monetary penalties the guidance states that "monetary penalties will be reserved for the most serious of breaches."

© MacRoberts 2012


The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.