On May 25, 2012, the UK’s data protection authority, the ICO, issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011). As we have reported here and here, when the rules were first introduced in May 2011, the ICO granted UK website operators a “honeymoon” period of 12-months to comply with the rules, which comes to an end on May 26, 2012.
This is the second time the ICO has updated its advice on cookies, which is intended to assist UK website operators in complying with the new rules that require them to provide website visitors with clear and comprehensive information about cookies and obtain their consent to store a cookie on their device. The ICO has also posted a short video on its website to respond to some of the frequently asked questions related to the new cookie rules.
The guidance further states that implied consent may not be appropriate in certain circumstances, e.g., when sensitive personal data is collected.
In its responses to the frequently asked questions, the ICO acknowledges that compliance with the new cookie rules is not straightforward, and therefore, the regulator will not require full compliance starting May 26, 2012. Instead, the ICO will expect companies to have taken steps to comply with the rules (e.g., by conducting a cookie audit, making notices about cookies more prominent and considering the best methods for obtaining consent) and have a realistic plan for complying with the rules by a specific date.
The ICO also states that a failure to comply with the new cookie rules would be unlikely to result in the imposition of monetary penalties. Instead, the ICO is more likely to request companies to enter into formal undertakings to bring their actions into compliance with the law.
To help the ICO investigate potential breaches of the law, the regulator published a cookie reporting tool on its website and encourages members of the public to report any concerns they have with cookie practices of specific websites. The ICO will use this information to help it determine the particular sectors and types of cookies on which to focus its enforcement strategy.