EU & cookie legislation

EU & cookie legislation

From 26 May 2011, an amendment to the E-Privacy Directive (2002/58/EC) means website operators must get consent from individuals to place cookies on their devices, rather than simply informing individuals that cookies are being used.

Whilst the Information Commissioner's Office (ICO) granted 12-months' grace to enable website operators to comply with the new requirements, this has now ended, and the ICO may now enforce compliance.

Since the new laws came into effect, the ICO has been issuing Guidance to set out what website operators need to do, in particular indicating that website operators should conduct audits to:

  • check what cookies are being used on websites and how they are being used
  • assess how intrusive the use is and prioritise compliance efforts, starting with the most intrusive
  • reach a decision on what is the best solution, in the circumstances, for communicating clear and comprehensive information to users and obtaining their consent to place the cookies

Recent experience includes:

  • Assisting clients in planning and carrying out audits of cookies used on their websites
  • Evaluating the audit results
  • Helping clients select the best solution for them to comply with the regulations for each cookie used
  • Making any required changes to existing privacy policies and statements to bring them in line with the new requirements