• Jump to Content [Accesskey 'c']
  • Jump to Navigation [Accesskey 'n']
  • Jump to Homepage [Accesskey '0']
TLT Solicitors
  • Resources
  • Events and Seminars
  • Seminars - Special Requirements
  • Publications
  • Links
  • Accessibility
  • Need to Know
  • Contact
  • Sitemap
  • Send to a colleague/friend
  • Print this page
  • Home
  • Expertise
  • Sectors
  • People
  • Careers
  • Resources
  • About TLT
  • Contact

Page Content

Cookie compliance: "Must try harder" and new guidance issued

Updated January 2012

Just before Christmas, the Information Commissioner published updated guidance for UK website owners, together with a message that they "must try harder" in relation to compliance with the new cookies law. 

As we have highlighted in previous updates, the new rules brought in under the amended Privacy and Electronic Communications Regulations, require cookie users to obtain consent from website visitors to the use of cookies and similar technologies (see Related publications).

Although the new law came into force in May last year, the Information Commissioner has allowed a 12 month grace period during which strict enforcement action will not be taken. The period was intended to allow time for the development of workable technical solutions to enable organisations to work out how to comply but organisations were urged not to delay action. The date for the commencement of enforcement, which may include fines of up to £500,000, is now only four months away.

There has been a degree of uncertainty as to how businesses are required to comply with the new requirements and as we previously reported (see related links) the ICO's previous guidance rejected the use of browser settings as a means of complying with the new requirements but advised businesses to:

  • conduct an audit of where cookies are used and how they are used;
  • assess how intrusive the use of a cookie is; and
  • decide what solution to obtain consent is most appropriate to the circumstances.

In publishing the new guidance, the Information Commissioner, Christopher Graham, stated “The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there... Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder.” Many people running websites will still be thinking that implementing the law is an impossible task. But they now need to get to work."

Key points emerging from the guidance include:

  • The meaning of consent - the guidance stating that "consent must involve some form of communication where an individual knowingly indicates their acceptance."
  • The importance of previous recommendations about conducting cookie audits.
  • That cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules but most others will need to comply. This includes those for analytical, first and third party advertising, and ones that recognise when a user has returned to a website.
  • That work is continuing to establish technical solutions for compliance in relation to third party cookies.
  • The acknowledgement that user awareness in relation to cookies is low and the guidance highlights the importance of information and education.
  • The ICO's regulatory and enforcement efforts will focus on the most intrusive cookies or those which have a clear privacy impact on individuals.
  • Practical advice on compliance such as information about the use of techniques such as pop-ups, terms and conditions and privacy settings.

To read the guidance, please see Related links.

The message from the guidance is that businesses must take steps to comply and efforts to do so will be taken into account when it comes to enforcement in May. TLT's Data Protection & Privacy team is offering a review service to assist you in identifying the best means of obtaining consent given the types of cookies used on your website. If you would like more information about the review service or have any queries about the forthcoming changes, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.


Back to publications

Related links

  • ICO cookie compliance

Related information

  • Data Protection & Privacy

Related publications

  • Website changes required by 26 May 2011
  • Local authorities fined by ICO for data protection breaches
  • Draft EU data protection amendments leaked
  • Private email addresses do not escape the remit of FOI
  • ICO information rights strategy published
  • Subscribe to legal updates

© 2012 TLT LLP