Following its vague warning on cookies in March, and confirmation last month that the UK would adopt the amended EU rules on cookies verbatim, the UK ICO has now issued new guidance that makes it clear that websites must obtain users’ consent before storing cookies on devices. The guidance, which relates to amendments to the UK e-privacy legislation that come into force on 26 May, 2011, issues a stark warning to companies that they “cannot ignore these rules”.
The new guidance focuses on new European rules that require businesses to obtain user consent before placing cookies on their computers. Previous measures, which included informing users that cookies were being used and offering ‘opt-out’ procedures, will no longer be sufficient. The guidance sets out various ways in which the user’s consent may be validly obtained, including via pop-ups, terms and conditions of use, and ‘feature-led’ consent. The guidance notes that the list of methods for obtaining consent is not exhaustive, though states that browser settings currently are not “sophisticated enough” to allow websites to assume that users have given consent.
There is an exception to the new rule — user consent will not be required if the use of the cookie is ‘strictly necessary’ for the operation of the service requested by the user. Examples include cookies that enable online ‘shopping baskets’, for example, where a site needs to remember what was placed in the ‘basket’ before it is paid for by the user. However, the ICO does warn that this exception should be interpreted “quite narrowly”.
In terms of enforcement, the guidance suggests that businesses which show they are considering how to change their policies to comply with the new rules will not face penalties if they have not fully implemented the change by 26 May, 2011. This reflects an earlier statement from the UK Communications Minister, Ed Vaizey, that the government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies. The ICO has stated that further detailed guidance on enforcement procedures is also in the pipeline.