What businesses need to do before the cookie law deadline

Organisations have to get their house in order ahead of the 26 May 2012 deadline for European e-commerce regulations governing the use of cookies.

With nearly a year having passed since the introduction of new European e-commerce regulations governing online data capture through the use of cookies, organisations have a small window in which to get their house in order ahead of the 26 May 2012 deadline. The 12-month “lead-in” grace period was indicative of the government uncertainty as to whether the solution to the requirements of the EU's Privacy and Electronic Communications Directive might be delivered in the form of technological upgrades to deliver a browser-based solution (such as a "no follow" button to prevent the use of cookies).

But with no obvious industry lead emerging, there are a wide range of opinions on what businesses should do to achieve compliance with the revised regulations. Much of the 12-month grace period has been given over to talking, rather than any clear development of ways of compliance which can be universally accepted. Those hoping that browser standards will have been implemented will be disappointed as these remain a default option for the majority of users, so no change there. 

The industry has been less than swift to respond. A recent survey conducted by Ctrl-Shift found that none of the top 100 retailers had fully complied with the requirements just three months ahead of the deadline.

Despite this apparent laissez-faire approach, the fact remains that each business still needs to carry out its own assessment of how it uses cookies and then tailor its solution to that use and to its customers. Merely waiting until the end of the lead-in on 26 May is not going to be acceptable and the Information Commissioner’s Office (ICO) has issued clear guidance during this year, in which its states that it expects website owners to have carried out an audit as a minimum. So what practical steps must organisations take to ensure compliance?

The ICO has provided suggested wording with various degrees of sophistication, which can be used by those organisations wishing to be fully compliant, but these are the minimum steps/checks to follow and implement as necessary:

  • Any cookies which show creation of detailed profiles of an individual’s browsing activity should be clearly identified to users.
  • Determine what types of cookies are used on a website, on both an individual and anonymised level.
  • Analyse how are those cookies are used and for what purpose.
  • Remove any outdated/unnecessary cookies.
  • Assess how intrusive is the use of cookies.
  • Decide on the best solution to obtain consent.
  • Evaluate the likely business impact of users exercising their right to remove consent.
  • Ensure that the current privacy statement on the website is updated in line with the new regulation.

In spite of the new layer of complexity that the regulations bring, cookies remain a valuable tool with a myriad of uses for thousands of businesses, and organisations should not be overly daunted. Consumers are increasingly savvy about their privacy rights and how their data is used and well aware of their rights to remove consent. Businesses who choose to flout the new regulations risk not only hefty financial penalties but also the ensuing negative perceptions of non-compliance.

On the other hand those that are well prepared ahead of the deadline will benefit from the positive PR associated with best practice cookie usage and transparency and have the opportunity to convey the benefits that cookies ultimately have on the user’s experience.

Kim Walker (pictured) is a partner at law firm Thomas Eggar.

Read more on IT legislation and regulation