By DLA Piper UK LLP and DLA Piper Scotland LLP

What last minute steps can be taken to achieve compliance?

The deadline for the implementation of the new law requiring website users to provide “opt-in” consent to cookies is fast approaching and all businesses operating websites should take immediate steps to ensure that they abide by the new rules.

The UK regulator provided businesses with a 12 month “lead-in period” to develop the ways in which they use cookies to ensure compliance with the new rules. This 12 month lead in period expires on 25 May 2012, giving businesses little time to achieve compliance. The new law means that all websites are legally required to obtain the website user’s “opt-in” consent for using cookies, rather than “opt-out” consent as was previously the case. Businesses should ensure that they have taken the following steps to achieve compliance before the imminent deadline.


The UK legislation which implements the amendments to the E-Privacy Directive came into force on 25 May 2011 and states that a user or subscriber must: a) be given clear and comprehensive information about the purposes of the storage of cookies; and b) provide his or her express opt-in consent.

During 2011, the Information Commissioner’s Office (“ICO”) issued guidance on the new law aimed at affected organisations. One of the key messages from the ICO is that the more directly the use of a cookie involves the user’s personal information, “the more carefully you need to think about how you get consent”.

Failure to comply could not only mean reputational damage to businesses, but the ICO also has the power to impose fines of up to £500,000. It is not to be ignored.


The two leading guidance on cookie compliance launched to date have been by the ICO in December 2011 (“ICO Guidance”) and more recently by the International Chamber of Commerce in April 2012 (“ICC Cookie Guide”). The key steps which any company reviewing its “cookies compliance” should follow are:

Step 1 – Cookies Audit

You should begin identifying the cookies (and similar technology) which are used by your websites. A “cookie audit” should be undertaken with the assistance of your IT/ website department and specialist legal advisors. These should include a review of the categories of cookies used by the website, the life-span of such cookies and the types of information collected by the cookies. As a general rule, the more personal information collected by a cookie (e.g. tracking and targeting cookies), the higher the obligation to obtain consent will be.

Categories to include in the cookie audit (as set out by the ICC Cookie Guide) include:

a) Strictly Necessary: these cookies are essential in order to enable the user to move around the website and use its features. The general rule is that these cookies enable services the user has specifically asked for, and are most likely to amount to first part session cookies. Please note, that guidance by the ICO confirms that this exception will be construed narrowly.

b) Performance: these cookies collect information about how visitors use a website and can be first or third party, session or persistent. Examples include: web analytics; affiliate tracking; testing website designs; and ad response rates.

c) Functionality: these cookies allow the website to remember choices and changes made and can be first or third party, session or persistent. Examples include: remembering users’ preferences / choices (e.g. font size, preferences); remembering a choice (e.g. not being asked to fill out a questionnaire); and providing information to allow optional services to function (e.g. chat sessions).

d) Targeting / Advertising: these cookies are used to deliver adverts more relevant to the user (e.g. behavioural advertising) and to track the webpages a user has visited. The cookies will usually be third party cookies. Examples include: social networking cookies (e.g. facebook/ twitter); and cookies placed by advertising networks to collect browsing habits in order to target relevant adverts to the user.

Step 2 – Map out compliance options

Once you understand the cookies which your website(s) use, you must then consider the options available to them in order to comply. These might include the options set out in the ICO’s Preliminary Guidance, for example:

  • Pop-ups: the ICO considers that this can be an effective method for obtaining consent although it recognises that this may “spoil the user experience” and is keen to stress that this is not the only method of achieving compliance.
  • Terms and conditions: the ICO Guidance considers that valid consent can be obtained through the use of terms and conditions. However, where terms and conditions are changed, it will be necessary to obtain the informed agreement of existing customers to such changes, by way of way of a tick box or similar arrangement.
  • Settings-led consent: the ICO confirms that consent could be obtained as part of the process by which the user confirms what they want to do on the site or how they want the site to work, provided that in requesting the relevant setting the user understands that they are consenting to the use of a cookie.
  • Feature-led consent: as with the settings-led consent approach, the ICO Guidance considers that consent can be obtained where a user chooses to use a particular feature of the site (e.g. watching a video clip), provided the relevant information is provided to the user when making the choice. In each case, in order to obtain consent from the user, it should be made clear that by choosing to take a particular action certain things will happen. The more complex or intrusive the activity, the more information the user will require.
  • Browser Settings: it had been widely anticipated that the user’s browser settings could be used as a viable solution to obtain the necessary consent required to comply with the new regulations. However, the ICO Guidance states that “at present” browser settings are “not sophisticated enough” to obtain consent.
  • Once is enough: ICO Guidance confirms that consent is only required before the cookie is set for the first time. Once consent has been obtained, repeated consent is not required to use the same cookie for the same person on subsequent occasions.

Step 3 – Implementation

In order to ensure that enforcement action is not taken against you by the applicable EU privacy regulator, you need to check when your compliance method must be in place. As set out above, in the UK implementation must be in place no later than 25 May 2012. Failure to implement changes by 25 May 2012 could lead to the ICO imposing fines upon organisations up to £500,000 (although these will be reserved for the most serious cases and those websites which use cookies for privacy intrusive purposes).

Step 4 – Additional Considerations and Steps

When conducting a cookie audit, you should also consider and undertake the following:

  • Due Diligence: conduct due diligence on ad network/metrics partners and vendors before contracting;
  • Click-wrap agreements: make sure your business never signs click-wrap agreements without a legal review;
  • Effective contracts: bind your partner to: a) comply with applicable laws; b) clear and conspicuous disclosure; c) opt-in/opt-out consent; d) flow-through terms to vendors; and e) audit rights;
  • Post-contract monitoring: is your partner fulfilling its contractual promises?
  • Evaluation of Agreements: always check and evaluate agreements against legal requirements and your Privacy Policy.

DLA Piper’s EU Information Law team have developed a robust methodology to assist organisations through the complex rules relating to compliance with cookies and can assist organisations by undertaking a cookies audit, suggesting compliance options and assisting in the implementation of a commercially viable cookie compliance solution.