ICO Gives Extra Year To Comply With New Cookie Laws

By Clare Atkinson of Fox Williams

From 26 May 2011, amendments to the EU’s Privacy and Electronic Communications Directive, which have been implemented in UK law will force websites to obtain users’ consent before serving cookies to their computer, unless the cookie is “strictly necessary” to provide a service “explicitly requested” by the user.

Cookies are small text files stored on user’s computers by the web browser. Cookies can be used for a variety of purposes, such as storing website preferences, recording user activity on websites, shopping basket contents and to analyse users shopping habits.

There is much concern amongst website operators and advertisers over how the new opt-in requirement for cookies under the amended E-Privacy Directive will work in practice and what the cost of this will be.

The Information Commissioner’s Office (“ICO”) has issued guidance on how the amendments to the E-Privacy Directive should be implemented and has stated that it will allow a one year grace period for web-site operators to comply before using enforcement powers.

Business-friendly Solution

The ICO has acknowledged that the obtaining of consent to cookies can be challenging and has affirmed that it is looking for a business-friendly solution. Rather than being prescriptive about how consent must be obtained, the ICO has issued guidance detailing various ways in which website operators can choose to gain informed consent.

The ICO has advised that currently, web site operators can not rely on browser settings to obtain consent as most browser settings are not sophisticated enough to allow for the selective consent to cookies.

It suggests that in the future it may be appropriate to rely on browser settings, as the government is working with the major browser manufactures to establish settings which would meet the requirements of the E-Privacy Directive.

In the meantime, the ICO suggests that web-site operators review their use of cookies and choose a means of complying that is most suited to their website, whether this be through the use of pop-ups, obtaining agreement to changed terms and agreement or through choices on website features by the users.

The ICO highlights that what is key is that website operators are upfront with users about how the website operates. Consent must be gained by giving the user specific information about what they are agreeing to and providing them with a way to show their acceptance.

One Year Grace Period

Christopher Graham, the Information Commissioner, in a statement confirmed that the ICO will be implementing a grace period of one year for businesses and organisation to comply with the changes to the regulations. He stated that “Although there isn’t a formal transition period in the Regulations, the government has said they don’t expect the ICO to enforce the new rule straight away.

As the government does not expect work on technical solutions to be completed by the implementation date and recognises that it will take time for these solutions to be developed, evaluated and rolled out.

However, this does not mean that businesses can afford to ignore the issue for a year, as Christopher Graham confirmed. “We’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”


Once the grace period expires, the Information Commissioner has numerous powers at its disposal to enforce compliance. These include the ability to impose fines of up to £500,000 for serious breaches of the Privacy and Electronic Communications Regulations and the ability to undertake an audit of a business for compliance purposes.

Perhaps more damaging than these measures is the negative publicity that accompanies them. A perceived failure to respect user’s privacy can be very damaging to a brand.

Next Steps

The ICO has suggested that businesses carry out audits of their websites to assess how they use cookies and what measures will need to be implemented to comply.

It is important that businesses start to consider how to comply and do not rely on the grace period to protect them, as complaints made during this time will be taken into account once it expires in May 2012 and it would be bad for business to be the first to be made an example of by the ICO.

The first step in the audit is to consider the type of cookies that they use, for example, whether flash cookies are used and whether they have information on how to disable these.

Businesses should consider how users access their website, for example, do they register to use it? If so, can consent be obtained through express agreement to the terms and conditions of use? This will only be effective if the terms and conditions of use are sufficiently clear as to the cookies used.

The situation will be further complicated if third party cookies are used on the site. As is commonly the case when advertising space is sold on the site.

The method that is chosen for consent will affect the experience of using a site. Although pop-up boxes are a way of obtaining consent to the use of cookies, these may drive potential customers away from the site as it is too disruptive to browsing.

Starting early with an audit allows for time for solutions to be developed during the grace period and will prevent a business from being left red-faced later on.

For advice on how to comply with the amendments to the E-Privacy Directive, please contact Clare Atkinson of Fox Williams at catkinson@foxwilliams.com or 020 7614 2557.

Join us on