Reports of the demise of Internet innovation in the UK, as a result of the UK’s implementation last May of the new European Directive governing the use of “cookies” , were greatly exaggerated. That said, the impact of the Cookies Directive was delayed when the UK Information Privacy Office (“IPO”) announced that it would abstain from enforcement of the Cookies Directive for a year, in order to give website operators an opportunity to adapt to the new requirement that (with some specific exceptions) website operators must obtain express consent before placing a “cookie” (a small text file that can be used to identify a device and track its activity) on a user’s device. Given the almost universal use of cookies to enhance functioning and user experience on websites, critics have complained that compliance with the Cookie Directive will result in an Internet slowed to a crawl by a proliferation of pop-up boxes seeking consent every time cookies are deployed.

The May 2012, deadline for commencing enforcement draws ever closer. Any website operator with a significant user base in Europe should at this point be developing a strategy for compliance. If you have a substantial Internet presence in Europe, and are ignoring the Cookie Directive and hoping it goes away, you do so at your peril. In a Guidance issued last month, the ICO warned that companies disregarding the Cookie Directive should “be assured” that, after May 26, 2012, the ICO will be enforcing compliance.

The ICO’s website offers one example what compliance with the EU Cookie Directive might involve. When you first access the site, you see a boxed message at the top of the page stating:

The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

Below this statement, users are asked to check a box next to the statement: “I accept cookies from this site.”

If you click on the “Privacy Notice” referred to in the disclaimer, you are directed to a chart that: (i) lists 8 different types of cookies employed the ICO site, (ii) provides detailed descriptions as to when and how these cookies are used, and (iii) provides links where you can obtain more information about these cookies.

We are not saying that your website must imitate what the ICO has done. In its recent Guidance, the ICO made it clear that it was not advocating one approach for every website or that it was expecting perfect compliance by May 26, 2012. But the ICO also made it clear that if it receives complaints, or is otherwise investigating a site, it will expect the website operator to be able to identify the steps that the website had taken towards compliance with the Cookie Directive.

In order to have a good answer to this question if the ICO comes calling, we recommend the following:

  1. Examine whether there are ways in which your privacy policy can more specifically identify the different types of cookies employed and whether you can better explain when and why they are used.
  2. Examine the feasibility of incorporating an express “opt-in box” to your use of cookies into the architecture of your website, and the extent that such a box would interfere with the user experience.
  3. Pay attention to how peer websites are disclosing their cookie practices—particularly over the next few months as companies prepare for the May 26th enforcement deadline. You don’t want to be the only website in your industry that has failed to adopt disclosure practices which have become an industry standard.