On 9 May 2011, the UK Information Commissioner’s Office (ICO) published its much-anticipated guidance on the amendments to the EU Privacy and Electronic Communications Directive, commonly referred to as the Cookie Directive.  This name is derived from the requirement under the Directive that consent must be given for cookies to be placed on a user’s computer.  Given the ubiquitous use of cookies, the implementation of the Directive could have wide-ranging implications for the functionality of websites.  The ICO has confirmed that the amended Directive will apply in the United Kingdom from 26 May 2011.

The ICO guidance does not provide a prescriptive list of instructions as to how website operators should comply with the amended Directive.  The guidance does, however, give insight into the ICO’s approach to consent.  The ICO envisages a sliding scale of consent:  if a cookie is particularly intrusive, the website operator should seek to prioritise obtaining meaningful consent for this particular cookie.  At the same time, the ICO acknowledges that some cookies have little impact on a user’s privacy and suggests that consent can be gained in a less direct manner.  The ICO’s suggested measures include consent notices in the website terms and conditions, and pop-up windows requesting consent or advising users as to the existence of third-party cookies.

The guidance addresses the key question of whether a website operator can seek to rely on the settings of the user’s internet browser as evidence of consent.  The Directive suggests this as an option where an internet user changes the default settings on an internet browser to accept cookies.  The UK Government’s response paper to the Directive also stated that the UK Government’s preferred approach is to work with browser manufacturers on a solution which will use enhanced browser settings to obtain the requisite consent.  For more information, click here. The ICO’s position, for the moment at least, is that the settings of the user’s internet browser cannot be relied upon as consent.  This may change if browser manufacturers can produce an adequate solution.

As the amendments enter into force shortly, website operators are advised to undertake a comprehensive audit of their use of cookies and consider what steps they will need to take in order to comply.  Although the ICO is not expected to take enforcement action in the short term, all website operators still should bear in mind the risks of future enforcement and negative publicity for an ongoing failure to comply.