Following its vague warning on cookies in March, and confirmation last month that the UK would adopt the amended EU rules on cookies verbatim, the UK ICO has now issued new guidance that makes it clear that websites must obtain users’ consent before storing cookies on devices.  The guidance, which relates to amendments to the UK e-privacy legislation that come into force on 26 May, 2011, issues a stark warning to companies that they “cannot ignore these rules”.

The new guidance focuses on new European rules that require businesses to obtain user consent before placing cookies on their computers.  Previous measures, which included informing users that cookies were being used and offering ‘opt-out’ procedures, will no longer be sufficient.  The guidance sets out various ways in which the user’s consent may be validly obtained, including via pop-ups, terms and conditions of use, and ‘feature-led’ consent.  The guidance notes that the list of methods for obtaining consent is not exhaustive, though states that browser settings currently are not “sophisticated enough” to allow websites to assume that users have given consent.

There is an exception to the new rule — user consent will not be required if the use of the cookie is ‘strictly necessary’ for the operation of the service requested by the user.  Examples include cookies that enable online ‘shopping baskets’, for example, where a site needs to remember what was placed in the ‘basket’ before it is paid for by the user.  However, the ICO does warn that this exception should be interpreted “quite narrowly”.

In terms of enforcement, the guidance suggests that businesses which show they are considering how to change their policies to comply with the new rules will not face penalties if they have not fully implemented the change by 26 May, 2011.  This reflects an earlier statement from the UK Communications Minister, Ed Vaizey,  that the government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.  The ICO has stated that further detailed guidance on enforcement procedures is also in the pipeline.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.