UK Cookie Acceptance Policy
Prior Consent Required?
The current guidance from the ICO states that consent to cookies can be obtained after processing has begun. The UK authorities base their advice on the fact that the word ‘prior’ does not appear in the EU directive upon which the UK law is based. However, the Article 29 Working Party – which advises the EU on data protection issues – disagrees and claims that prior consent must be obtained to make cookie use legal. It will now be necessary for the ICO to provide further guidance to businesses on this issue. This is however unlikely until the new proposed EU data protection law, which should better define consent and its practical meaning, is published by the European Commission later this year.
Dutch Cookie Acceptance Policy
In the Netherlands a new Dutch law requires prior “opt-in” consent before a cookie can be installed or stored on a user’s computer. The language of the proposed law is quite broad and could require website owners outside of the Netherlands to comply with the Dutch law when processing personal data of Dutch citizens. In addition the websites owners would also have to comply with their own local cookie rules, which may be different.
Implementation of Cookie Acceptance Policies
To date only the UK, Denmark, Estonia, Finland, Sweden and the Netherlands have introduced measures implementing the Privacy and Electronic Communications Directive. The European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time. In the USA no such law exists and website operators are free to place cookies.
Guidance on Cookies and what to do:
Despite this conflict, organisations should check their websites for cookies, remove any which are not necessary and obtain consent as currently advised by the Information Commissioner. Simply doing nothing and waiting is not an option, as this will be taken into account when formal enforcement begins in May 2012.
Sites hosted and operating out of the USA, aimed at UK based users
It is not currently clear whether the law will apply to websites operated or hosted in the USA. However, if a website is aimed at UK users then it is likely that the law will be deemed to apply, although it remains to be seen how any enforcement action could be taken against a US company in breach.