UK Office: No Cookies Without Informed Consent

We will be discussion international regulations later in the semester, but the Information Commissioner’s Office (ICO) in the UK issued a big announcement this week, and I wanted to mention it now, as it will be relevant to our future discussions.  The ICO told all UK public and private sector businesses that from May 26, 2011, when the EU-backed new e-Privacy law comes into effect, they will be required to get “informed consent” from their website visitors in order to store and retrieve information on their devices.  The law is mainly focused around the use of cookies – small text files placed on a user’s computer for the purposes of logging data such as registration information, user preferences, pages visited, shopping basket items, etc.

The UK regulations were amended last week to comply with the 2009 amendments to the EU’s Privacy and Electronic Communications Directive (Directive 2009/136/EC).

In order to help businesses get ready for the change, the ICO has recently published guidelines providing practical advice on the new cookies rules, explaining what steps you need to take to ensure you comply.  The guidance features many examples for businesses to get a sense of what is covered.  For example, interestingly, the only applicable exception to the cookies rule for most website operators is if the cookie is “strictly necessary” for a service requested by the user.  While there is little guidance on what is “strictly necessary,” the guidelines provide some information.  According to the ICO, cookies used to implement a shopping cart may fall under the “strictly necessary” exception, if the cookies are necessary to ensure that items selected on previous pages are available during check-out.  However, the ICO stressed that this exception is very narrow and would not apply to cookies used to make the website more attractive by remembering users’ preferences.

The guidance is intended to help organizations to start to think about the practical steps they will need to take to remain compliant with the new law. According to the ICO, it will be supplemented by additional content as innovative ways to acquire users’ consent are developed.

What does this mean for other countries that do business in the UK?  Well, when a company offers a UK or EU version of a website, for example, it may be required (or at least expected by users) to follow the EU rules – now implemented locally in the UK.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s