Way back in 2002 the EU enacted a directive which required owners of websites based in the EU to obtain customers’ consent before using ‘cookies’ to track how they browse their website.

As usual the implementation of EU directives is subject to a number of delays and opt-outs, so much so that we often forget about it until the last minute.  Nine years after the event this directive is being rolled out in every member state of the European Union. If your country hasn’t yet enacted its own national legislation to meet the requirements of the directive, it will have to do so very soon.

In the UK the enabling legislation will come into force on Thursday 26th May 2011. British website owners (wherever hosted) or anyone (wherever located) with a website hosted in Britain, will have to ask for permission to store and retrieve information on users’ computers -a process currently done automatically by the website installing computer code known as a cookie.

Website owners face a maximum fine of £500,000 if they fall foul of the new law. But there is concern that many may not be aware of the changes or what steps they need to take to ensure they do not breach the new regulations.

The real problem is that the directive (drafted 10 years ago which in internet times is “pre-history”, does not clarify what constitutes “getting a customers’ consent”.

For example, it is not clear whether a customer setting their Internet browser to ‘accept cookies’ will be enough or whether businesses will have to take further, more direct steps to get customers’ consent.

Last week the (UK) Information Commissioner’s Office (“ICO”) said that companies ‘could not stick their heads in the sand’ but must take steps to get their house in order without actually spelling out what that entailed. Given that the ICO has had the best part of 10 years to get to grips with this new legislation they do seem to have rather abrogated their responsibility. After all their mission statement says that they will issue timely and appropriate guidance.

Whilst ICO has said there will be a grace period while the laws are being implemented, by saying that this is conditional on website owners showing that they are making efforts to comply with the legislation, without explaining the legislation more clearly in their 12 page “guide”, this may not give much comfort to website owners.

Mind you, given the criminally lax policing of other requirements such as the one making it an offence for a website owner not to give full details of their legal status (private individual, company, partnership etc.) and their contact details – perhaps no-one should be too worried about this latest piece of EU nonsense. But if I were you I wouldn’t bet on it, and I can do nothing less than advise you to take this new requirement seriously and get appropriate professional advice for your circumstances.

Click here to access the UK Information Commissioner’s Guidance

Related Articles:

4 Responses to “European Law Means British Websites Risk Half a Million Pound Fine Over Cookies”

  1. James Green says:

    Good to hear from you Jenny. There is a lot of confusion over this law and the Information Commissioner was saying in the media that they don’t yet know themselves how this will work but that they will work with It specialists and website owners to find a way forward. They are not going to be fining people just yet awhiles.

  2. As a network marketer, I work with a replicated site describing my ‘product’ – a pre-paid Mastercard branded card which gives you cashback whenever you spend with it. That replicated site does not explicitly describe my legal status as an affiliate. There are thousands of networkers all over the UK and Europe operating similar businesses for countless different products.

    In my case the parent company is UK registered, but many of them are based in the US and Canada. My replicated site has information giving contact details for the company but not me personally. The website ‘belongs’ to Cashbackcard.com, not to me.

    I know the company owners went through a lot of work, trying to ensure that they were compliant in every way, but what you say makes me think that they may have not done enough. I think they may use ‘session cookies’ only as there has been some discussion about this subject, what is supposed to happen is that the site will ‘remember’ you for two hours if you just put your email and d.o.b. in but I haven’t tested that on another PC.

    I will be in touch with the company on Monday and get them to read this, and the documentation you recommend. I’ve put a lot of effort into building a team in this business and don’t want to see it go down the tubes for the sake of a few words on a website.

  3. James Green says:

    Yes indeed. Although the regulations were published years ago the last Labour govenment did nothing about it until the last minute and enacted legislation two years ago. (Perhaps they didn’t want to give ammunition to the anti-EU activists. ) However it was only 3 weeks ago that the Information Commissioner was able to agree the final rules – though he says he cannot enforce them for at least the next year as the technology doesn’t exist to do what is required.

  4. Chrisjo says:

    A very timely piece of information. Is it true that the regulations were only published 3 weeks ago?

Leave a Reply