Articles | That's the way the cookies crumble - update

An update to our July 2011 article highlighting the need to comply with the new legislation relating to website cookies.


1 London Street,

+44 (0)118 951 6200


Cathrine Ripley

Cathrine Ripley

Last July we wrote about the new legislation requiring website owners to seek positive consent from those accessing their site before placing cookies on their computer.  The Information Commissioner’s Office (ICO) has now issued updated guidance for website owners.

The ICO has always recognised that compliance with the new legislation could not happen overnight and gave website owners a 12 month lead-in period to make changes to their websites to comply with the new law, before using its enforcement powers.

However, half way through the lead-in period, the ICO has issued a report which reveals that it is disappointed at the level of engagement shown by website owners.  The ICO believes that on receipt of a complaint, website owners should be able to demonstrate the steps they are taking and the timescale within which they expect to achieve compliance with the new rules.

Updated guidance

In light of this, the ICO has released more detailed guidance notes on the steps that website owners should be taking and a link to the full guidance can be found at the end of this article.  Useful practical sections within the guidance include ‘Conducting a cookies audit’ and a detailed description of the different ways website owners may obtain consent in practice.

Going forward

The ICO has indicated that waiting until the expiry of the 12 month lead-in period is not an acceptable approach for website owners to take.  Website owners must be able to demonstrate that they have taken positive action during the lead-in period towards compliance.  If a website is not compliant by the end of the lead-in period (May 2012), the ICO Commission will expect an explanation as to why this was not possible.

As part of any investigation by the ICO, website owners should be able to demonstrate:

  • the steps that they are taking; and
  • the timescale within which they expect to achieve compliance

The ICO will not issue prescriptive lists on how to comply with the new law in addition to the guidance, believing that the best approach is for each website owner to work out how it is best to get the necessary information to their users and obtain their consent.  Website owners should bear in mind that the more personal the information collected, the higher the level of consent required from the user.