New EU Cookie Law – Is Your Website Compliant?

On 26th May 2011, the UK Government were one of the first in the European Union (EU) to implement the new EU Cookie Law, albeit with a twelve month grace period, which expired Saturday 26th May 2012!

What does this mean?

Well, if you own or run a website targeting citizens of the European Union, and this website tracks users in any way, for example by using cookies, then you need to ensure your website at least informs its visitors about how they are tracked.

Your website is likely to track users, probably using cookies, if any of the following statements are true:

  • Your website has a shopping basket or cart facility – cookies are probably used to track which items visitors have added to their basket or cart
  • Your website remembers any user-specific settings, for example, the size of test displayed on the page
  • Your website tracks visitor trends using a product or service such as Google Analytics

Essential/Non-Essential User Tracking

Some of these uses of user tracking are deemed essential, whereas others are not. For example, tracking which products a user has selelcted to purchase is considered essential, whereas tracking visitor trends using Google Analytics is not.

Implied or Explicit Consent

In order to comply with the new law, each website targeting EU citizens must clearly state what tracking is taking place along with its purpose, so that visitors can make an informed decision on whether to use the site. Until a few days before the twelve month grace period in the UK came to an end, it was believed that explicit consent would have to be provided by any website visitors before any tracking could take place; however, as this is often completely impractical, the UK’s Information Commissioner’s Office (ICO) clarified that implied consent will suffice.

So as long as your website clearly notifies visitors about the types of tracking used by the site, then you should be fully compliant with the new law.

Are All the Other Websites Compliant Already?

In a word, NO! Ironically, ZDNet UK recently reported that most UK Government websites would not be compliant with the new law by the deadline of 26th May 2012. The Cabinet Office said it was “working to achieve compliance at the earliest possible date”, which is encouraging!

Even more ironically, given that this new law is being forced upon the UK by the European Union, the new law apparently only applies to member states, not the EU itself! Therefore the EU as an organisation is claiming that the laws do not apply to their websites.

What If My Website Is Not Compliant?

Theoretically, the UK’s ICO has the power to fine up to £500,000 for breaches of its various rules, which includes the new cookie law, but in practice, they have stated that they are not “going to launch a torrent of enforcement action”. However, they will investigate websites that users report to them via a tool that will soon be available on their website. Only the most intrusive websites will be subject to the ICO’s enforcement powers, & in most cases this will involve a notice requiring the site owners to take action to fix the data protection flaws, rather than a fine.