Originally published May 23, 2012

Keywords: deadline, cookie compliance, penalties, non-compliance

Almost a year ago today, new rules came into force concerning the use of cookies on websites by website operators. In the UK, the Information Commissioner's Office gave website operators a one year grace period from enforcement action, during which website operators were expected to audit and revise the use of cookies on their websites, to change the functionality of their websites and to amend their privacy policies to ensure that they were only setting cookies in circumstances which complied with the new regulations.

The grace period ends on 26 May 2012. After this date, all website operators will have to comply with the new rules and the Information Commissioner's stay on taking enforcement action against those website operators that fail to comply with the new regulations will be lifted.

Penalties for non-compliance

The Information Commissioner can penalise website operators that fail to comply with the new regulations by:

  • Issuing fines: requiring the website operator to pay a penalty of an amount decided by the Information Commissioner, up to a maximum of £500,000.
  • Requiring undertakings to be given: obliging a website operator to undertake certain actions in the future to improve compliance.
  • Issuing enforcement notices: compelling a website operator to take actions specified by the Information Commissioner to bring about compliance with the new rules. Failing to comply with an enforcement notice can be a criminal offence.

Guidance released by the Information Commissioner in December 2011 explained that if full compliance has not been achieved by a website operator by 26 May 2012, that website operator will, if approached by the Information Commissioner, need to provide a detailed explanation as to why compliance has not been achieved by the deadline and will need to provide a clear timescale and a detailed action plan, setting out how and when compliance is expected to be achieved by that website operator.

The new rules

The rules on the use of cookies by website operators changed on 26 May 2011 as a result of an amendment to the Privacy and Electronic Communications (EC Directive) Regulations 2003 and a change to the E-Privacy Directive 2000/58/EC.

The new regulations require website operators to get "opt-in" consent from website users before certain types of cookies or similar technologies can be set. Website operators must also now provide detailed information on the cookies they intend to set and the ways in which they are used so that website users can choose whether to accept them or not and so that the website operator can demonstrate that it has obtained valid consent from those website users.

The new "opt-in" regime is in contrast to previous practice, where website operators commonly just mentioned in their privacy policies that they use cookies and website users were left to "opt-out" by changing their browser settings to block cookies if they did not want cookies to be set on their devices.

Learn more about our Business & Technology Sourcing and Intellectual Property practices.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2012. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.