May 26, 2012 Deadline For New U.K. Cookie Law: Are You Ready?

May 11, 2012

May 26, 2012, is the deadline for compliance with the U.K.’s new law concerning the use of cookies on websites (“Cookie Law”) on the basis of EU law. In our prior Alert, we addressed the background on the U.K. Cookie Law, noting that that the U.K. became the first EU member state to pass a cookie law in May 2011. At that time, the Information Commissioner’s Office (“ICO”) published guidance on how to comply; however, the ICO delayed enforcement for one year in order to give website operators an opportunity to revise their cookie practices to generally obtain express consent from website users before placing a cookie or other electronic technology (Web beacon, clear GIF, flash cookies) on a user’s device. That one year safe harbor ends on May 26, 2012, and the ICO has indicated its intent to enforce the Cookie Law and set up an online whistleblower scheme. Companies that do not comply could face fines up to £500,000.

Additional guidance as to how to comply with the Cookie Law has been provided by the International Chamber of Commerce. In addition, the ICO’s website provides examples of what it presumably believes is sufficient to comply with the Cookie Law.

The Cookie Law, and particularly the issue of what constitutes consent under the law, has been controversial. The ICO guidance indicates that “Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question, they will be giving consent.”

It is unclear whether the ICO will attempt to enforce the Cookie Law against website operators based outside the U.K. The ICO’s guidance, however, makes clear its desire that websites located outside of the U.K. comply, especially sites that are designed for the European market and/or that provide products and services to the customers in the EU.

The cookie issue is also relevant beyond the U.K. For instance, in France, the French Data Protection Authority CNIL recently released its own updated guidelines on the use of cookies that are not entirely consistent with the ICO’s approach.

If you have any questions about how your business should address the Cookie Law, please contact one of the lawyers listed below.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Axel Spies

This article was originally published by Bingham McCutchen LLP.