Skip to main content

UK Cookie Law "Grace Period" Expires -- Enforcement to Begin

While those of us in the United States were observing Memorial Day and enjoying the unofficial start of summer, the grace period from enforcement of the UK “Cookie Law” expired on Sunday, May 27th.   Accordingly, websites must now officially obtain "informed consent" from visitors before saving cookies on a machine.    The reach of this law is far beyond the shores of the UK, and does affect websites living on US-based servers that target, reach or are otherwise used by UK users.    Have you looked at your website’s use of cookies yet?

At the very end of last week (on Friday, in fact), the ICO issued its third guidance note (May 2012), which outlines the changes to the cookies law and explains the steps that need to be taken to ensure compliance. The ICO has also posted a short video on its website to respond to some of the frequently asked questions related to the new cookie rules.

Implied Consent Acceptable.    For the first time – and contrary to previous advice suggested by the ICO-- the ICO made it clear that reliance on implied consent would be an acceptable form of consent.    There are limitations, however.

  • ¬ Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • ¬ If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • ¬ You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • ¬ In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Despite the latest recognition by the ICO that implied consent may be the most practical and user-friendly option for analytic cookies (such as Google Analytics), the regulator reminds website operators that, for the majority of users, it may not be clear or obvious that most websites use cookies to analyze the traffic to or use of their websites.  Therefore, according to the latest guidance from the ICO, the key to implied consent in the context of setting analytic cookies is to make it “second nature” for users, so that the website operator may reasonably interpret the actions of such users (e.g., continuing to navigate the site, or taking certain actions) as an indication that users consent to the cookies.   In fact, the ICO employs an example of an implied consent mechanism in its guidance post --  the video link includes the following banner:

We’ve answered some of your FAQs in a video, summarising how you can comply and the approach the ICO is taking to enforcement. (NB: playing YouTube videos sets a cookie - more information.)

The Big Question:  Enforcement?  The ICO further acknowledged that compliance with the new cookie rules is not straightforward and that the regulator will not require full compliance starting now.   The ICO will expect companies to have taken steps to comply with the rules – for example, conducting a cookie audit, making notices about cookies more prominent, and considering the best methods for obtaining consent – and have a realistic plan in place for complying with the rules by a date certain.   According to the ICO, using the monetary penalties built into the law as an enforcement option has not been ruled out, but formal “undertakings” and enforcement notices are likely to be more useful in achieving compliance.   That being said, the ICO says it has written to more than 50 organizations to ask about their cookie compliance program.

A cookie reporting tool has been published on the ICO’s website and the regulator encourages the public to report any concerns they have with cookie practices of specific websites.

If you have questions about compliance with the UK Cookie Law or would like to implement a cookie compliance plan, contact any member of your Mintz Levin service team, or one of Mintz Levin’s privacy lawyers.

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.