Using Cookies in the EU? Are you ready for the 26 May 2012 deadline?


[author: Steven P. Farmer]

Starting on 26 May 2012 the UK Information Commissioner's Office ("ICO") will begin enforcing sweeping changes to the EU cookie law put in place 12 months ago. By way of reminder, following a change to the EU's Privacy and Electronic Communications Directive (the "E-Privacy Directive") back in 2011, the rules on using cookies to track/store information on users are about to change.

Unless an exception applies, the new requirement essentially prohibits the use of cookies absent the consent of the user (unless the cookie is "strictly necessary"). The new rules apply regardless of where the website is based, if European personal data is collected.

In other words, a website operator over which the ICO has jurisdiction, wherever the operator is based in the world, will be unable to argue it was still getting its house in order if the ICO comes knocking.

Practically speaking, those using cookies, including US operators targeting Europe (which is often overlooked), will need to take immediate steps, if they have not already, to ensure they do not fall foul of the law and face the consequences of non compliance (a "do something" enforcement notice from the ICO or potentially a fine of up to £500K. Ouch!).

So what should you do before 26 May 2012?

1. Conduct an audit: Confirm what cookies are in use and what exactly they achieve (both your own and those of a third party).

2. Determine if exceptions apply: Consider whether an exception to the "opt in" rule exists (i.e. is a particular cookie "strictly necessary"?) Be cautious, however, as this exception is construed very narrowly. For example, guidance suggests that the "strictly necessary" exception applies only (1) where cookies remember the goods a user has put in a virtual basket, (2) for cookies providing essential security to comply with privacy law and (3) for cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers.

3. Assess how intrusive each cookie is: This will dictate the "level" of consent required for each cookie.

Recent guidance from the UK ICO makes it clear that there is no "one size fits all" when it comes to obtaining valid consent and that relying on any form of implied consent via use is fraught with difficulties. Although the door appears to have been left open for implied consent in ICO guidance, it appears that this form of consent will only pass muster if a website operator is completely transparent as to the cookies in use and a clear notice is given to a user from the outset.

Any cookie used for analytical purposes or advertising, or which recognises a user so that a website can be tailored, should be approached with a great deal of care.

Website operators who have not considered the impact of these changes are advised to do so as a matter of urgency. You have been warned!

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.