The European Union Directive on Cookies requires website owners to gain the consent of Internet users before they view web material that requires enabling cookies. The law applies to all EU member states. Furthermore, websites outside of the EU are required to comply with the Directive if they target EU member states. For example, a site based in Canada that sells to consumers in the UK, or that has a French-language version of its site aimed at users in France, will have to comply.
The UK was the first member country to establish a May 25, 2012 deadline for compliance with the directive. Essentially, the requirements for complying with the directive are to first do a “cookie audit” to find out how cookies are used and in what devices. Secondly, companies have to review the information that they give to users about how cookies are being saved on their computer and lastly there has to be a prominent notice on the website that is easy to understand for the user.
Within the UK guidelines, there is a provision to penalize companies up to £500,000 for non-compliance with the EU Directive. However, the ICO is reluctant to impose the penalty on companies as the law is not meant to be punitive. Enforcement rarely involves monetary penalties which can only be issued by the ICO in cases where there has been willful non-compliance with the directive. The ICO prefers to provide an enforcement notice to provide companies with a timetable for when they should become compliant; their strategy is about committing organizations to becoming compliant on the cookie guidelines and they want to achieve this through negotiations with organizations rather than enforcing financial penalties.
As it stands, many websites across Europe are still non-compliant with the cookie notification requirements. It is unclear whether other European nations will follow the UK’s lead on emphasizing guidance and support as a tool for compliance rather than penalties.
- Approaches to Compliance
- EU directive 2009/136/EC amending users rights relating to electronic communications