Using Cookies in the EU? Are you ready for the 26 May 2012 deadline?


Starting on 26 May 2012 the UK Information Commissioner’s Office (“ICO”) will begin enforcing sweeping changes to the EU cookie law put in place 12 months ago. By way of reminder, following a change to the EU’s Privacy and Electronic Communications Directive (the “E-Privacy Directive”) back in 2011, the rules on using cookies to track/store information on users are about to change.

Unless an exception applies, the new requirement essentially prohibits the use of cookies absent the consent of the user (unless the cookie is “strictly necessary”). The new rules apply regardless of where the website is based, if European personal data is collected.

In other words, a website operator over which the ICO has jurisdiction, wherever the operator is based in the world, will be unable to argue it was still getting its house in order if the ICO comes knocking.

Practically speaking, those using cookies, including US operators targeting Europe (which is often overlooked), will need to take immediate steps, if they have not already, to ensure they do not fall foul of the law and face the consequences of non compliance (a “do something” enforcement notice from the ICO or potentially a fine of up to £500K. Ouch!).

So what should you do before 26 May 2012?

1. Conduct an audit: Confirm what cookies are in use and what exactly they achieve (both your own and those of a third party).
2. Determine if exceptions apply: Consider whether an exception to the “opt in” rule exists (i.e. is a particular cookie “strictly necessary”?) Be cautious, however, as this exception is construed very narrowly. For example, guidance suggests that the “strictly necessary” exception applies only (1) where cookies remember the goods a user has put in a virtual basket, (2) for cookies providing essential security to comply with privacy law and (3) for cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers.
3. Assess how intrusive each cookie is: This will dictate the “level” of consent required for each cookie.

Recent guidance from the UK ICO makes it clear that there is no “one size fits all” when it comes to obtaining valid consent and that relying on any form of implied consent via use is fraught with difficulties. Although the door appears to have been left open for implied consent in ICO guidance, it appears that this form of consent will only pass muster if a website operator is completely transparent as to the cookies in use and a clear notice is given to a user from the outset.

Any cookie used for analytical purposes or advertising, or which recognises a user so that a website can be tailored, should be approached with a great deal of care.

Website operators who have not considered the impact of these changes are advised to do so as a matter of urgency. You have been warned!