UK Cookie Acceptance Policy

In May the ICO placed a banner at the top of its website in order to obtain consent from users to the placing of cookies. The banner stated how and why cookies would be stored and cross-referred to the ICO's privacy statement. By clicking on the banner users consented to the use of cookies. If users did not consent, then parts of the website did not work and were not accessible. In the following 35 days, traffic to the website fell by 90%. Unlike the ICO's website, many commercial websites rely upon multiple cookies for tracking, customer service, analytics and advertising revenues.

Prior Consent Required?

The current guidance from the ICO states that consent to cookies can be obtained after processing has begun. The UK authorities base their advice on the fact that the word ‘prior' does not appear in the EU directive upon which the UK law is based. However, the Article 29 Working Party - which advises the EU on data protection issues - disagrees and claims that prior consent must be obtained to make cookie use legal. It will now be necessary for the ICO to provide further guidance to businesses on this issue. This is however unlikely until the new proposed EU data protection law, which should better define consent and its practical meaning, is published by the European Commission later this year.

Dutch Cookie Acceptance Policy

In the Netherlands a new Dutch law requires prior "opt-in" consent before a cookie can be installed or stored on a user's computer. The language of the proposed law is quite broad and could require website owners outside of the Netherlands to comply with the Dutch law when processing personal data of Dutch citizens. In addition the websites owners would also have to comply with their own local cookie rules, which may be different.

Implementation of Cookie Acceptance Policies

To date only the UK, Denmark, Estonia, Finland, Sweden and the Netherlands have introduced measures implementing the Privacy and Electronic Communications Directive. The European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time. In the USA no such law exists and website operators are free to place cookies.

Guidance on Cookies and what to do:

Despite this conflict, organisations should check their websites for cookies, remove any which are not necessary and obtain consent as currently advised by the Information Commissioner. Simply doing nothing and waiting is not an option, as this will be taken into account when formal enforcement begins in May 2012.

Sites hosted and operating out of the USA, aimed at UK based users

It is not currently clear whether the law will apply to websites operated or hosted in the USA. However, if a website is aimed at UK users then it is likely that the law will be deemed to apply, although it remains to be seen how any enforcement action could be taken against a US company in breach.