Privacy & Information Security Law Blog

On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.

In a speech at the ICO’s annual Data Protection Officers’ conference on March 8, 2011, the UK Information Commissioner, Christopher Graham, said that businesses running websites in the UK must “wake up” to the fact that the changes are happening and to start thinking about how to achieve compliance with the new requirements. He acknowledged that the implementation of this new law, which becomes effective May 25, 2011, would be a “challenge” but that it “will have positive benefits as it will give people more choice and control over what information businesses and other organisations can store on and access from consumers’ own computers.” The Minister for Culture, Communications and Creative Industries, Ed Vaizey, stated that while businesses need to address the way in which they use cookies, the UK government does not expect the Information Commissioner’s Office “to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.” The Internet Advertising Bureau (the “IAB”), the trade body for the UK advertising industry, issued a statement in response to the ICO’s message, saying that the new law “raises significant implementation challenges right across Europe” and is “potentially detrimental to consumers, business and the UK digital economy.”

At this time, it is unclear how the law will be implemented and enforced in the UK and across the EU. As of March 10, 2011, the ICO indicated that it has not yet seen a draft of the implementing legislation, which raises concerns that the ICO will not have sufficient time to draft and publish guidance to businesses on how to achieve compliance before the legislation comes into effect.  Even though the UK government has indicated that it does not expect the ICO to take enforcement action in the short term, the ICO’s “wake up” call suggests that it will not be sufficient for businesses to simply do nothing.  Instead, industry needs to prepare to adapt to these impending changes.

For more information, view the ICO press release.