The Information Commissioner managed to greatly raise the profile of the new EU law on cookies last week, warning in a press release that “UK businesses must wake-up” to the forthcoming change. However this alarm bell seems to be a bit early, as the Government admitted that although it does expect to meet the deadline of May 25th for transposing the European Directive into UK law (possibly simply copying the text of the Directive), it will take longer than that to produce guidance available on what businesses actually need to do to comply with it.
The problem is that the Directive requires users to give “consent” before any cookies are placed on their computers, but it has never been clear how this consent should be expressed. When the Directive was passed, some commentators considered that an explicit prompt would need to be given to each user, for example through a pop-up or landing page, whereas others thought that it was sufficient to check whether existing browser preferences permitted the cookie to be loaded. Last week’s press release only mentions the latter, “browser-settings” approach, which was also the preferred option in last year’s Government consultation on implementing the Directive (see page 57 of the consultation paper). That consultation also distinguished cookies that were “strictly necessary to deliver a service which has been explicitly requested by the user”, while also commenting that more information should be provided on how cookies are used.
Until the UK legislation is published and passed, and guidance on implementing it provided, it seems the best thing organisations can do is review what cookies their websites generate (including any third party links or cookies) and consider documenting what benefits they deliver.
[UPDATE] Out-law reports that the Government is indeed “working with browser manufacturers” on a solution