Legal Matters: Beware of the Cookie Monster

The UK Relaxes User Consent Requirement
The U.K. has been in the vanguard of jurisdictions proceeding with implementation of the EU Directive. Although initial rules came into force on May 26, 2011, website owners were given a 12-month "grace period" to comply before facing enforcement action. Just as the May 26, 2012 deadline for implementation approached, the U.K. Information Commissioner's Office (ICO) issued a formal "Guidance" regarding the use of cookies on websites. The ICO announced that explicit consent wasn't necessarily required. The ICO Guidance addressed the most controversial and confusing aspect of the EU Directive — what measures will be viewed by regulators as being sufficient to obtain "consent" to the installation of cookies on users' devices. The EU Directive defines "consent" as "any freely given specific and informed indication of … agreement to personal data … being processed."

The ICO Guidance, while welcome in terms of informing website operators that they don't require an affirmative opt in prior to the installation of cookies on visitors' computers, isn't clear in indicating exactly what measures will satisfy the user consent requirements of U.K. law. It would be reasonable to conclude, however, that, at a minimum, the following two actions would be necessary for compliance:

• the presence of an information page providing a general explanation of what cookies are and their function on the website; and
• providing a link to that information page from the website's homepage.

The essence of the Guidance appears to be that sufficient notice must be provided in plain language to ensure that website visitors understand that the site uses cookies as well as how cookies can be blocked or disabled.

User Consent Isn't Required for Certain Types of Cookies
It should be noted that the EU Directive contains an exception from any consent requirement for cookies that are "strictly necessary." In order for cookies to meet this definition, "such storage of or access to information should be essential rather than reasonably necessary … to provide the service requested by the user." The exception doesn't apply when the cookie is only "'important' rather than 'strictly necessary.'"