ICO offers publishers and advertisers advice on new EU cookie rules

The new law, which comes into effect in the UK on 26 May, requires publishers to obtain a user’s consent before placing a cookie (a small text file that a website stores on a user’s computer to identify it). The only exception will be cookies that are “strictly necessary” to provide a service requested by the user – for example to save items in a shopping basket while making a purchase.

Cookies are widely used by websites to store information about users, including details of their past activity, to track user behaviour and provide services that require the site to recognise the user. Although many sites explain this in their privacy policies, and most browsers give users the option of rejecting cookies, it has not in the past been necessary to get a user’s permission before saving a cookie on their device.

The ICO’s advice sets out practical steps that publishers and advertisers can take to make sure they comply with the new rules. It said its advice “will help people to consider what type of cookie or similar technology their website uses and for what purpose, how intrusive their use is, and offers advice on what solution for obtaining consent will suit them”.

The government has said it will be working with browser manufacturers to see if settings can be used as a way of obtaining consent to accept cookies, but the ICO warned that at present “most browser settings are not sophisticated enough” to constitute consent. Solutions may instead have to include pop-ups, terms and conditions, or specific warnings when particular features are activated by the user.

The advice is at times very general, encouraging sites to “be upfront with your users about how your website operates”.

Third-party cookies, the ICO said, “may be the most challenging area in which to achieve compliance with the new rules and we are working with industry and other European data protection authorities to assist in addressing complexities and finding the right answers”.

The government confirmed last month that it would implement the rules in the new EU directive, but communications minister Ed Vaizey said that, because of the short time before the 26 May deadline, “we do not expect the ICO to take enforcement action in the short term against businesses and organisations that work out how to address their use of cookies”.

The ICO said that there will be a phased approach to the implementation of the rules. If complaints are received about organisations, it will expect them to show how they have considered the new law and “that they have a realistic plan to achieve compliance”.