Teal blue graphic

ICO warns businesses of cookie compliance deadline

The Information Commissioner's Office (ICO) has threatened businesses with formal enforcement action if they fail to meet a deadline to take steps to comply with the so-called "cookie law".

The new rules requiring website operators to obtain consent from site visitors to the use of cookies was brought in under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. Although the new law came into force in May 2011, the Information Commissioner declared that there would be a 12 month grace period during which strict enforcement action would not be taken. Since that period expired in May 2012 the ICO has written to seventy-five of the UK's most frequently visited websites to check on the measures they are taking to ensure compliance. Those sites that have failed to respond have been set a deadline for their sites to conform to the law, and have been warned that enforcement notices will follow if they fail to do so. Any business which fails to act on the enforcement notice will be at risk of criminal prosecution.

A cookie is a small text file used by a website to collect information about internet users, such as their names, addresses, e-mail details, passwords and user preferences. The Regulations, designed to protect the privacy of internet users, state that a user's consent to the use of cookies must be "freely given, specific and informed" and that they must be provided with clear and comprehensive information about the purposes of information which will be stored. The ICO have been running an education campaign around key compliance issues including the thorny question of implied consent, (whereby a user's continued use of a website indicates their acceptance of the use of cookies).

However, in a recent blog, the ICO made it clear that businesses should now be aware of the law and that the education programme would increasingly be balanced by enforcement measures. Under the regulations, the ICO has the power to issue a fine of up to £500,000 to businesses which fail to comply with the regulations, although it appears more likely that the ICO will issue enforcement notices than fines.

Internet users can report concerns about specific websites by use of the ICO's "online cookie concern reporting tool." The ICO have had more than 380 such notifications to date and will issue a progress report of its response to those concerns in November.

Given this shift from education to an enforcement focus, businesses that have not already done so would be well advised to review their cookie use and ensure that appropriate information and consent mechanisms are included on their websites.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.

Insights & events View all