Privacy & Information Security Law Blog

On May 25, 2012, the UK Information Commissioner’s Office posted updated guidance on how to comply with amendments to EU data protection law requiring businesses to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies. Last year, the ICO gave organizations a grace period expiring on May 26, 2012, to comply with the new cookie rules.

The ICO’s guidance includes the following observations:

• there is no “one-size-fits-all” solution to suit every organization;
• being “clear, honest, open and upfront about cookies” is an easy first step towards compliance;
• the ICO recognizes that this is not an easy area for organizations to comply with; and
• using monetary penalties as an enforcement option has not been ruled out, but formal undertakings and enforcement notices are likely to be more useful in achieving compliance.

The guidance also reiterates a point made in earlier guidance that implied consent can be a valid form of consent, but only where it is clear that the user understands that their actions will result in a cookie being deployed. An example of an implied consent mechanism is used in the ICO’s blog post itself, which includes the following banner above a link to a video: “NB: playing YouTube video sets a cookie.”

The guidance stresses that work is “ongoing,” and, accordingly, it is unlikely that we will see a deluge of ICO enforcement actions following the expiration of the grace period tomorrow. That said, the ICO has written to 50 organizations to ask about their cookie compliance programs.