Privacy & Cybersecurity Law Blog

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

The ICO’s position is described in new guidance published today on its approach to enforcing the new cookie law.  The new UK law, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “Regulations”), implements changes made in 2009 to the e-Privacy Directive (EC 2002/58).

The ICO published initial guidance on the Regulations earlier this month and acknowledges the challenge of complying with the new law.  While the changes to the e-Privacy Directive contemplate using browser settings to obtain consent, the Information Commissioner has admitted that, although browser settings give individuals more control over cookies and will be an important part of the solution, the technology is not yet sufficiently evolved.

In addition, the Department for Culture, Media and Sport, the government department responsible for the Regulations, has published an open letter on how the new UK cookie consent requirements should be interpreted.

The ICO’s guidance also includes information for consumers on what the new rules will mean for them and how to complain to the ICO, as well as information on what the ICO itself is doing to comply with the Regulations with respect to its own website.