Businesses that run websites aimed at UK consumers are being given up to 12 months to ‘get their house in order’ before enforcement of the new EU cookies law begins, Information Commissioner, Christopher Graham, has said.

The UK Government has revised the Privacy and Electronic Communications Regulations, which come into force in the UK today, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.

Cookies are small files that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of businesses and organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering a user’s payment details when buying products online.

The ICO has today published guidance on its approach to enforcing the new rules – as well as guidance on other new powers coming into force as part of the revised Regulations.

Christopher Graham said:

“I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups – and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account.

“Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet. In the meantime, although there isn’t a formal transitional period in the Regulations, the Government has said they don’t expect the ICO to enforce this new rule straight away. So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.

“As the regulator, I’m conscious that my own website will be looked at for a model of how to comply. We’ve decided to place a header bar on our website giving users information about the cookies we use and choices about how to manage them. I am not saying that other websites should necessarily do the same. Every website is different and prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers. The initial advice that we issued earlier this month will continue to be supplemented with real-life examples as they come in.”