In its continuing efforts to give the State of California a run for its money when it comes to privacy rights, the United Kingdom’s “cookie law” is now in effect. Websites for European companies with European visitors, or non-European companies that are directed at European users, must now inform users of any tracking technology used on the website, and the purpose of the use of that tracking technology.
The Law
The new law is part of the European Union’s "e-Privacy" Directive. Implementation of the e-Privacy Directive requires that each member state incorporate the e-Privacy Directive into its own law in 2011. The United Kingdom accomplished the foregoing by creating the amended Privacy and Electronic Communication Regulations (PECR) Act 2011, which became effective on May 26, 2011. The disclosure of the use of user tracking technology is only one element of PECR.
Types of Tracking Technology
The use of cookies on a website is only one practice covered by the cookie law. Uses of advertising tracking and analytics, for example are covered practices.
Affected Businesses
If you have only a U.S.-based web site, with no web page directed explicitly at the United Kingdom, then the cookie law should not affect you. However, if you have a website or web page directed specifically to residents of the United Kingdom, you almost certainly are subject to the cookie law.
Opt-Out or Opt-In
Good question. Originally the cookie law was interpreted to mean that a user must explicitly opt-in to the tracking technology. However, just before the cookie law went into effect the Information Commissioner’s Office (“ICO”), the United Kingdom’s data protection agency, updated its guidance to say that “implied consent” was acceptable, and that continued use of the subject website would meet the consent requirement.
Compliance Deadline
The cookie law is currently in effect, but it is no secret that many, many organizations are not currently in compliance. Those websites that are in compliance with the cookie law will present users with a dialogue similar to this:
Mobile Applications
Just to keep things interesting, the cookie law applies to mobile applications as well. Because mobile applications have just as many, if not more, opportunities for user tracking, and because that user tracking is not always obvious, it has already been made clear that the ICO will pay particular attention to mobile application compliance
Penalties
The ICO has the authority to fine non-compliant organizations up to $780,000 (or 500,000 pounds) for not complying with the cookie law. Fortunately, the ICO is not going to be in a big rush to penalize non-compliant organizations and, instead, is focusing on educating companies regarding compliance requirements.