All EU Member States were to have implemented new laws to comply with the Cookie Rule by May 26, 2011, but not all have. In the case of the UK, the Directive was implemented and the government immediately suspended enforcement for 12 months to provide organizations with time to comply. We’re now about 10 weeks from May 26, 2012, when websites selling goods or services to individuals in the UK must comply with the UK implementation of the Cookie Rule or face investigation by the Information Commissioner’s Office with the potential for fines of up to £500,000.
If you operate a website that provides goods or services to residents of the EU, and the UK in particular, before May 26, 2012, you should download and read the UK ICO’s Guidance on the New Cookies Regulations (the “Cookie Guidance”), which sets out the steps you need to take now to ensure you comply. In particular, you should (if you haven’t already):
- Inventory all of your organization’s websites that provide goods/services to EU residents; and
- Audit each of those websites and determine:
- what kind of cookies (and other similar technologies) are being used and for what purposes;
- which are 1st party cookies and which are 3rd party cookies;
- if any are persistent cookies, how long do they last; and
- which of those cookies are “essential to the operation of the service” and/or “explicitly requested” by the data subject.