Compliance with the EU Directive on Cookies

Compliance with the EU Directive on Cookies

Legislation, PrivaTips
The European Union Directive on Cookies requires website owners to gain the consent of Internet users before they view web material that requires enabling cookies. The law applies to all EU member states. Furthermore, websites outside of the EU are required to comply with the Directive if they target EU member states. For example, a site based in Canada that sells to consumers in the UK, or that has a French-language version of its site aimed at users in France, will have to comply.
Email
Print

The European Union Directive on Cookies requires website owners to gain the consent of Internet users before they view web material that requires enabling cookies. The law applies to all EU member states.  Furthermore, websites outside of the EU are required to comply with the Directive if they target EU member states. For example, a site based in Canada that sells to consumers in the UK, or that has a French-language version of its site aimed at users in France, will have to comply.

The Directive came into effect on May 26, 2011. Within Europe, the Information Commissioner’s Office (ICO) in the United Kingdom has been leading the way in guiding companies on compliance with the new law. One issue with the UK regulations arises from the fact that just 48 hours before the compliance deadline, the ICO amended the requirements for compliance by stating that websites can assume that users have implicitly consented to their use of cookies. Implied consent arises in the form of browser settings that allow for cookies to be enabled as the default option, without a persistent notice appearing every time cookies have to be saved on the browsing device. This last minute amendment by the ICO places the UK out of step with EU law in its implementation of the continent wide directives; this could lead to court challenges in the EU.

The UK was the first member country to establish a May 25, 2012 deadline for compliance with the directive. Essentially, the requirements for complying with the directive are to first do a “cookie audit” to find out how cookies are used and in what devices. Secondly, companies have to review the information that they give to users about how cookies are being saved on their computer and lastly there has to be a prominent notice on the website that is easy to understand for the user.

Within the UK guidelines, there is a provision to penalize companies up to £500,000 for non-compliance with the EU Directive. However, the ICO is reluctant to impose the penalty on companies as the law is not meant to be punitive. Enforcement rarely involves monetary penalties which can only be issued by the ICO in cases where there has been willful non-compliance with the directive. The ICO prefers to provide an enforcement notice to provide companies with a timetable for when they should become compliant; their strategy is about committing organizations to becoming compliant on the cookie guidelines and they want to achieve this through negotiations with organizations rather than enforcing financial penalties.

As it stands, many websites across Europe are still non-compliant with the cookie notification requirements. It is unclear whether other European nations will follow the UK’s lead on emphasizing guidance and support as a tool for compliance rather than penalties.

Further reading:

 

Email
Print