EU 'Cookie' law for UK web sites (E-Privacy Directive)

From 26th May 2012 all UK websites must obtain consent from visitors for the use of cookies and other tracking technologies.

New rules governing the use of website 'cookies' were issued by the United Kingdom Information Commissioner's Office (ICO), effective May 26, 2011. These stem from the Privacy and Electronic Communications (EC Directive) Regulations 2003 amended by Directive 2009/136/EC which included a change to Article 5(3) of the E-Privacy Directive - phew! These new rules require web site owners to get consent from visitors/users for storage or access to information stored on their computer or browsing device. Meaning visitors have to 'opt-in' to the use of cookies.

There was a 12 month transition period (ending May 26, 2012) for companies to meet the new requirements. During that period, companies had to take steps to comply with this new regulation - although complete compliance was not required before May 26, 2012. The new UK rules apply to all websites hosted in Europe and websites hosted elsewhere if they target UK residents. U.S. websites that market their sites to UK residents or that have a large number of UK users may be subject to the new rules and be required to comply.

Types of Cookies

  1. Strictly Necessary

    To fit this category, the cookie must be related to a service provided on the website that has been explicitly requested by the user. Aside from obvious cases such as shopping cart cookies and access to protected areas, the ICC suggests that remembering previously entered text so it's not lost if the page refreshes falls into this category. No user consent is required for category 1 cookies.

  2. Performance Cookies

    Includes analytics, advertising and Pay Per Click cookies in this category – provided they only store anonymous data and cannot therefore be used for behavioural targeting of ads. Consent for cookies in this category, according to the ICC, can be obtained by placing appropriate wording in the site Terms and Conditions or Privacy Policy. So, no opt-in required.

  3. Functionality Cookies

    Cookies that remember user choices so that they have a more personalised experience. This might include detecting if the user has already seen a popup so that it isn’t shown again, submitting comments and remembering colours, text size etc. As with Performance Cookies, the ICC suggests you can comply with the regulations by inserting text into your Terms and Conditions/Privacy Policy rather than forcing users to choose explicitly.

  4. Targeting/Advertising Cookies

    It's possible to argue that the onus is on the ad serving network to request consent but, to be on the safe side, the ICC advises website owners to get clear, explicit consent from users if their site employs such technology.