UK Information Commissioner makes a mess of cookies

The UK’s Information Comissioner has not done a great job in introducing recent changes relating to the use of cookies.

They put out very late, confusing guidance and finally (the day before the rules came into force) decided to give a year’s grace period in enforcing the new rules.

Background

From 26 May 2011, as a result of changes to the Privacy and Electronic Communications Directive, it will be unlawful to use cookies to collect user data without the informed consent of the user. The only exception to this is when the cookie is strictly necessary (e.g. if it has been used as a shopping basket and you need to make sure that payment is for the goods actually purchased).

Guidance

The UK Information Commissioner published practical guidance in early May on what this would mean in practice for the use of cookies. In summary they suggest that web-site owners should:

1. check what type of cookies and similar technologies are used and how on your web-site;
2. assess how intrusive your use is; and
3. decide what solution to use to best obtain consent.

The guidance then goes on to flesh out what this means in different scenarios, but contrary to expectations rules out the use of browser settings as a general solution.

However, as commentators have noted, this guidance is far too close to the implementation deadline to be of much practical assistance to website owners – this should have been published well in advance and its lateness will significantly increase compliance costs.

Enforcement

On 25 May the Information Commissioner published enforcement guidelines. This (to put it mildly) didn’t give businesses much time to react. It seems to have be published partly in reaction to the public outcry following ICO’s prior late guidance and gives companies a year’s grace period to comply with the (still unclear) new rules.