UK Enforcement of EU Cookie Law in Effect

Becky Doles

Today is EU cookie law enforcement day in the UK. As part of the European Union, the UK agreed to comply with the May 2011 amendments to the 2003 EU e-privacy directive, which require websites to obtain user consent for tracking technologies, including cookies. The guidance issued on the updated rules encourages companies to be more open about what these cookies are and how they might be used. At the time of the amendments, the Information Commissioner’s Office (ICO) provided a year long grace period for compliance. Today that grace period is over.

For most of the past year, the ICO suggested that compliance would require direct consent before placing a cookie on a user’s computer. I can hardly imagine the horrible experience that would create, particularly in situations where a site is merely attempting to personalize the user experience.

If I lived in the UK, things like Amazon welcoming me back with my name and purchase suggestions would now require a warning saying they were about to drop a cookie on my machine that would allow them to use my name and suggest products. I’m sure some people don’t trust that sort of thing, but I find it improves my experience most of the time.

Thankfully, the ICO has revised their recommendation around what compliance looks like, offering implied consent as a viable mechanism for compliance.

In a blog post on the ICO website, Dave Evans, Group Manager, Business and Industry, offers a summary of the clarifications with the following bullet points and a YouTube video.

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Pinsent Mason’s blog offers a good example of how many sites may look to users first visiting a site that drops cookies from here out, along with great additional coverage of UK compliance with the EU cookie law.

It’s unclear how this new law will impact performance marketers at this point. Presumably sites in the UK with affiliate links and other tracking links will offer a blanket disclosure that cookies may be dropped on clicked links, with additional details about the types of cookies being used.

While implied consent certainly makes compliance seem more reasonable, it will be interesting to see how the cookie law gets tested in the UK courts. A PDF with the full ICO cookie guidance is also available for download.

Becky Doles

Becky is the Senior Content Marketing Manager at TUNE. Before TUNE, she led a variety of marketing and communications projects at San Francisco startups. Becky received her bachelor's degree in English from Wake Forest University. After living nearly a decade in San Francisco and Seattle, she has returned to her home of Charleston, SC, where you can find her enjoying the sun and salt water with her family.

Leave a Reply