Following the recent EU Cookie Law changes, Euan Lawrence, Solicitor at Blacks Solicitors highlights the pitfalls for businesses that fail to comply with the new regulations…
Although the new EU Cookie Law came into force on 26 May 2011, businesses were given a one-year grace period (which expired at the end of May) to comply with the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
However, regardless of the expiry of the grace period, it appears that many companies are still not up to scratch in terms of their compliance with the new Cookie Law especially as the Information Commissioner’s Office (ICO) will be enforcing these Regulations on businesses - big and small.
For many firms across the UK, it’s extremely important to be aware that action taken by the ICO in response to a complaint by the public may result in a penalty of up to £500,000.
In the first instance, the ICO will often contact the organisation responsible for the cookies and ask for a response to a complaint. While much less severe than a financial penalty, the ICO will require a detailed explanation of:
- The steps taken to comply with its Regulations
- The reasons why the deadline has not been met
- What the timescale will be for compliance
The general approach of the ICO in terms of enforcement of the Regulations is one of proportionality. Powers will be utilised on a tough and targeted basis rather than lightly and routinely. For businesses that own a website this means that, in practice, it is unlikely that action will be taken for minor contraventions of the cookie rules. However, where the ICO considers a breach to be so serious that action must be taken, that action will be tougher and is likely to incorporate an element of deterrence to other organisations.
The message conveyed by the ICO Guidance on the enforcement of the Regulations is that the ICO will be more lenient with those who can show they are at least making efforts to comply, whilst taking a tough stance against those who cannot. The ICO is unlikely to fine an organisation which is attempting, but struggling, to comply with the Regulations (and may instead issue guidance and assistance), but will instead prioritise action against those who demonstrate a disregard for the law by having made no attempt to comply.
My advice to businesses or website owners who have yet even to attempt to achieve compliance with the Regulations is to act quickly. An easy way to gain informed user consent is to provide a cookies policy on the website and implement a ‘pop-up’ technique asking users to select ‘yes’ to agree to their information being stored. Putting the necessary steps in place now could save you from major financial headaches in the future.