Skip to main content

UK cookie tracking law is now live

Internet users in the UK, do you feel more secure this week? On Saturday, the so-called "cookie law" went into effect in the region, which requires website owners to ask for permission before installing certain kinds of cookies on users' machines.

As outlined by the U.K.'s Information Commissioner's Office (ICO), however, non-compliance won't immediately result in major penalties.

At issue are Internet cookies, or little bits of data collected about your Internet activity. They can be useful-like remembering passwords and settings on sites that you surf to frequently-but there are also concerns about targeted advertising and how much data is really collected.

The European Union's Privacy and Electronic Communications Directive passed in 2009. EU countries have slowly been implementing the law since then, and it came into effect in the U.K. over the weekend.

The legislation is a far-reaching online privacy directive, but on the cookie front, it requires websites to obtain express consent from users before collecting certain cookie data. As explained by the ICO, these setting cookies must: tell people that the cookies are there; explain what the cookies are doing; and obtain their consent to store a cookie on their device.

This does not apply to all cookies; the ones logged when you add something to a online shopping basket or pay for something online don't count, for example.

Despite the law's implementation this weekend, however, it appears that the ICO does not have any sort of immediate crackdown planned for those who aren't compliant.

In a recent discussion about the law, Dave Evans, group manager at the ICO, said "it is a concern" that some websites have not yet implemented the law, but acknowledged that "this isn't an easy area for people to comply with."

"What we do expect is that anyone who's not ready by the end of May 2012, can at least demonstrate that they've A) taken some steps already, and B) that they've got a realistic plan at the end of which they'll be able to say they've achieved compliance," Evans said.

Monetary penalties, he said, will only be implemented "where there's been a serious breach that's likely to cause substantial damage to people, and where there is kind of a willful element towards non-compliance," Evans said.

In February, the Obama administration unveiled its plan for an online privacy bill of rights intended to protect consumers on the Web. It gives consumers the right to know what information is being collected about them and calls on all browser makers to implement easy-to-use "do not track" technology, among other things.

The ICO's Evans said the Department for Culture, Media, and Sport has been working with browser manufacturers about "do not track" plans. For more on that, see The State of 'Do Not Track' in Current Browsers.