The Cookies Crumble – But Not Until May 2012

For many years websites have used cookies software in order to track users’ browsing, this has been used by businesses on their websites to store and retrieve that data.

Regulatory Control of Cookies

The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 known as ‘the Regulations’ have enacted a European law in relation to the use of cookies. The law became effective on 26 May 2011 but enforcement has been deferred by a further 12 months in recognition of the large amount of work to be undertaken by businesses to prepare for the changes.

What Do The Regulations Outlaw?

The Regulations have brought in a law which mean that website owners will be breaking the law if they are using cookies files without the users’ explicit consent. This applies to all businesses regardless of size. It will now be law that businesses will have to ask permission to store and retrieve information on users’ computers or other browsing devices.

Previously simply notifying a user that the site uses cookies and providing an ‘opt put’ option was all that was required, but in an effort to protect users’ privacy greater restrictions have been brought into effect and the burden to comply has been passed onto the website owners.

How Will the Regulations be Enforced?

The UK Information Commissioner Office (ICO) has discretionary powers, subject to the legislation, to enforce the regulations and impose penalties for non compliance. Penalties range from the power to conduct an audit, to civil monetary penalties of up to £500,000 for serious breaches.

Time Scales

You may be concerned that you are only now hearing that you are in contravention of a new law, but fear not as the ICO confirmed on 25 May 2011 that it will give organisations and businesses a further 12 months to ‘get their house in order’ before enforcement begins. It appears that this concession to businesses is not however entirely charitable, as the ICO has made it clear that those who choose to do nothing will have their lack of action taken into account when enforcement begins. The moral of the story is, if you haven’t started to put plans into place to make the necessary changes, then do it soon, it is likely that given the 12 month grace period once formal enforcement begins the history of each organisation will be under close scrutiny.

As with many new regulations there is likely to be a period when the powers will want to be seen to be flexing their muscles, however the government is urging for a phased approach. It is therefore unknown how enforcement will be approached in the months following May 2012.

Compliance Guidelines Available

Businesses may benefit from the vague and uncertain definition of ‘prior consent’. If it cannot be defined clearly by those who enforce it then how can businesses be expected to comply? To avoid any doubt however, there are steps that can be taken with reference to guidance from the ICO. If such guidance is followed it is hard to see how the same body could then seek to enforce against an organisation or business who had undertaken all action promptly in line with that guidance.

Further information is contained on the ICO’s website (together with its new header bar giving visitors information on its privacy policy, the cookies it uses, and steps on how to manage them!)

Businesses and organisations should watch carefully for further guidance from the ICO as to the definition of ‘prior consent’ and begin to review their own policies governing privacy and the use of cookies on their own websites as soon as practicable.

There is nothing to suggest that the regulations will disappear in 12 months time, so do nothing at your peril a far better approach would be to do something sooner rather than later.

If you would like more information on this topic or an initial discussion with no obligation please call Paul Haycock on 0114 274 4275.