The May 2012, deadline for commencing enforcement draws ever closer. Any website operator with a significant user base in Europe should at this point be developing a strategy for compliance. If you have a substantial Internet presence in Europe, and are ignoring the Cookie Directive and hoping it goes away, you do so at your peril. In a Guidance issued last month, the ICO warned that companies disregarding the Cookie Directive should “be assured” that, after May 26, 2012, the ICO will be enforcing compliance.
The ICO’s website offers one example what compliance with the EU Cookie Directive might involve. When you first access the site, you see a boxed message at the top of the page stating:
Below this statement, users are asked to check a box next to the statement: “I accept cookies from this site.”
If you click on the “Privacy Notice” referred to in the disclaimer, you are directed to a chart that: (i) lists 8 different types of cookies employed the ICO site, (ii) provides detailed descriptions as to when and how these cookies are used, and (iii) provides links where you can obtain more information about these cookies.
We are not saying that your website must imitate what the ICO has done. In its recent Guidance, the ICO made it clear that it was not advocating one approach for every website or that it was expecting perfect compliance by May 26, 2012. But the ICO also made it clear that if it receives complaints, or is otherwise investigating a site, it will expect the website operator to be able to identify the steps that the website had taken towards compliance with the Cookie Directive.
In order to have a good answer to this question if the ICO comes calling, we recommend the following:
- Pay attention to how peer websites are disclosing their cookie practices—particularly over the next few months as companies prepare for the May 26th enforcement deadline. You don’t want to be the only website in your industry that has failed to adopt disclosure practices which have become an industry standard.