E.U. Cookie Law: U.K.’s ICO Says “It’s Complicated”

 Starting today, U.K. websites must ask for and get the consent of their users before placing non-essential cookies on their computers.  (A “cookie” is a small text file that is served to a computer when you visit a website and can be used to recognize you when you return, or when you visit other websites.)  The so-called E.U. “Cookie Law” aims to protect website users from unwanted marketing by giving them more control over cookies.

The E.U. Commission implemented the Cookie Law on May 25, 2011, but the U.K.’s data protection authority, the Information Commissioner’s Office (ICO), gave companies one year to comply.  The deadline for compliance is technically today, May 26, 2012.  However, the ICO announced yesterday that compliance with the law is complicated and so it does not expect (or require) full compliance by today.  Instead, the ICO expects companies to have taken steps to comply, including the development of a plan to achieve compliance by a specific date.  The specific steps the ICO mentions include conducting a cookie audit to determine what types of cookies a website has and how they are used, making notices on the website about cookies more obvious to users, and determining the best method to get users’ permission.  A recent KPMG study found that 95% of companies have yet to comply with the law, so the Commission’s shift seems rooted in reality.

The guidance yesterday made an important clarification about getting users’ permission.  Contrary to its previous statement regarding consent, the ICO now says “implied consent” is a valid form of consent.  Previously, the ICO guided that once the law took effect, users would have to opt-in to all non-essential cookies, which critics pounced on as being impractical and burdensome.  In other words, before a cookie could be placed on a user’s computer, the user would have to agree.  This would have required users to, for example, click an icon, dismiss a banner, send an email or subscribe to a service.  Based on yesterday’s reversal, a company can now rely on implied consent, so long as it believes its visitors have a reasonable understanding that their actions will result in cookies being set or information being accessed on their mobile device.  This is a very significant change. 

Also in the good news column for website owners, the ICO said that failure of a company to comply with the new law will not likely result in fines — the maximum monetary penalty for non-compliance is £500,000 (which is not a small sum), but instead, the ICO would need to see a specific plan of action to bring the company into compliance. 

The law applies to all 27 Member states of the European Union.  Websites outside of the E.U. must comply with the law if they are targeting people within member states.  So, a website based in the U.S. that sells to users who residents in the U.K., for example, will also have to comply with the Cookie Law.  What this compliance looks like is certainly more reasonable today from a website owner’s perspective, than before the ICO’s announcement yesterday.