New ICO guidance issued on EU cookie law

The Information Commissioner's Office has released practical guidance for companies to comply with the new EU cookie law.

In [the] future, many websites may be able to rely on the user’s browser settings to demonstrate they had the user’s agreement to set all sorts of cookies. ... For now, though, you will need to consider other methods of getting user consent.

ICO guidance on EU cookie regulations

With just over a fortnight to go before new rules come into effect governing the use of cookies on websites, the Information Commissioners Office (ICO) has issued guidance on how companies should comply.

The ICO guidance (.pdf) says websites cannot rely on browser settings to decide whether a user consents to having his or her online activity tracked, and that, in most cases, sites should seek explicit consent from the visitor.

"In [the] future, many websites may be able to rely on the user’s browser settings to demonstrate they had the user’s agreement to set all sorts of cookies,” the ICO announcement states. “We are aware that the government is working with the major browser manufacturers to establish which browser-level solutions will be available and when. For now, though, you will need to consider other methods of getting user consent.”

According to London-based law firm Pinsent Masons, the government is working with Mozilla, Apple, Microsoft, Google, Yahoo, Adobe and the Internet Advertising Bureau to deliver an efficient technological way to obtain user consent.

The guidance suggests online businesses could send prompts to appear on a user's screen asking for consent to use cookies, which it says would be an easy option for achieving compliance. Alternatively, it suggests, the user could be asked to sign up for the terms and conditions of a site, where the use of cookies is explained and then accepted or declined, thereby avoiding pop-up messages that users see as tedious.

The ICO concedes that companies will need some time to comply with the new EU cookie law, but insists they should be able to demonstrate they have a plan to reach compliance.

“The guidance is helpful in that it gives practical advice on steps businesses can take to stay on the right side of the law, but it is not definitive, which could leave businesses exposed later," said Claire McCracken, a lawyer at Pinsent Masons, writing on the OUT-LAW legal website.

"The guidance leaves it up to organisations to decide how to get users’ permission for cookie usage, which means different companies will use different methods," said McCracken. "Only once enforcement action starts will we really know which of these methods the ICO thinks are within the law and which are not.”

Read more on Regulatory compliance and standard requirements