In 2002 the European Directive 2002/58/EC laid the ground work for the protection of privacy for electronic communications. This was amended in 2009 by directive 2009/136/EC commonly referred to as the “cookie rule”. This directive required governments in the EU to implement these changes in their own laws by May 25, 2011. The UK ICO allowed for a “lead in period” of one year, and that year is now up. On May 25th, The UK ICO published their recommendations on the directive and how the UK ICO views the issues and requirements in the directive, as well as some insight into how enforcement actions may take place within the UK. This is a valuable resource for organizations operating websites in the UK.
As should be anticipated, any cookies that are not strictly necessary or any cookies that handle sensitive data should get extra attention, since you can be assured the DPAs will be paying special attention to them. This is an area where explicit consent should be obtained.
A couple of items from the guidance should be noted by any organizations using cookies on their websites, especially cookies that track users actions across multiple sessions.
• Explicit consent is not a requirement in all cases
• Users on the site should be conspicuously advised of the use of cookies on the site, and their choices on allowing the cookies.
• Exceptions for a cookie being “strictly necessary” should be sued very narrowly
• Make the use of third party cookies very clear to the end-user
