Counting Down to the EU Cookie Rule for the UK


In 2009, the EU issued Directive 2009/136/EC of the European Parliament. The Directive concerns the ‘regulatory framework for electronic communications networks’ and includes what has come to be known as the “EU Cookie Rule”; the part concerning the use of cookies is just a small part of the whole Directive. Other articles of the Directive included accessibility for disabled users, provision of public telephones, and the universality of affordable internet connections at a reasonable connection speed.

All EU Member States were to have implemented new laws to comply with the Cookie Rule by May 26, 2011, but not all have. In the case of the UK, the Directive was implemented and the government immediately suspended enforcement for 12 months to provide organizations with time to comply. We’re now about 10 weeks from May 26, 2012, when websites selling goods or services to individuals in the UK must comply with the UK implementation of the Cookie Rule or face investigation by the Information Commissioner’s Office with the potential for fines of up to £500,000.

If you operate a website that provides goods or services to residents of the EU, and the UK in particular, before May 26, 2012, you should download and read the UK ICO’s Guidance on the New Cookies Regulations (the “Cookie Guidance”), which sets out the steps you need to take now to ensure you comply. In particular, you should (if you haven’t already):

  • Inventory all of your organization’s websites that provide goods/services to EU residents; and
  • Audit each of those websites and determine:
  • what kind of cookies (and other similar technologies) are being used and for what purposes;
  • which are 1st party cookies and which are 3rd party cookies;
  • if any are persistent cookies, how long do they last; and
  • which of those cookies are “essential to the operation of the service” and/or “explicitly requested” by the data subject.

Once you have done all that, you’ll need to verify that your website’s privacy policy accurately describes your practices with regard to the use of cookies, determine how best to inform consumers about your cookie practices and determine how best to obtain consent from your users, all before the May 26, 2012, deadline. Unfortunately, what it means to properly provide information and obtain consent in this area can be complicated, so you’ll need to consult legal counsel, as well.