Using Cookies in the EU? Are you ready for the 26 May 2012 deadline?


[author: Steven P. Farmer]

Starting on 26 May 2012 the UK Information Commissioner's Office ("ICO") will begin enforcing sweeping changes to the EU cookie law put in place 12 months ago. By way of reminder, following a change to the EU's Privacy and Electronic Communications Directive (the "E-Privacy Directive") back in 2011, the rules on using cookies to track/store information on users are about to change.

Unless an exception applies, the new requirement essentially prohibits the use of cookies absent the consent of the user (unless the cookie is "strictly necessary"). The new rules apply regardless of where the website is based, if European personal data is collected.

In other words, a website operator over which the ICO has jurisdiction, wherever the operator is based in the world, will be unable to argue it was still getting its house in order if the ICO comes knocking.

Practically speaking, those using cookies, including US operators targeting Europe (which is often overlooked), will need to take immediate steps, if they have not already, to ensure they do not fall foul of the law and face the consequences of non compliance (a "do something" enforcement notice from the ICO or potentially a fine of up to £500K. Ouch!).

So what should you do before 26 May 2012?

1. Conduct an audit: Confirm what cookies are in use and what exactly they achieve (both your own and those of a third party).

2. Determine if exceptions apply: Consider whether an exception to the "opt in" rule exists (i.e. is a particular cookie "strictly necessary"?) Be cautious, however, as this exception is construed very narrowly. For example, guidance suggests that the "strictly necessary" exception applies only (1) where cookies remember the goods a user has put in a virtual basket, (2) for cookies providing essential security to comply with privacy law and (3) for cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers.

3. Assess how intrusive each cookie is: This will dictate the "level" of consent required for each cookie.

Recent guidance from the UK ICO makes it clear that there is no "one size fits all" when it comes to obtaining valid consent and that relying on any form of implied consent via use is fraught with difficulties. Although the door appears to have been left open for implied consent in ICO guidance, it appears that this form of consent will only pass muster if a website operator is completely transparent as to the cookies in use and a clear notice is given to a user from the outset.

Any cookie used for analytical purposes or advertising, or which recognises a user so that a website can be tailored, should be approached with a great deal of care.

Website operators who have not considered the impact of these changes are advised to do so as a matter of urgency. You have been warned!

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Written by:


Pillsbury Global Sourcing Practice on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.