ICO blog: Updated advice and guidance on changes to the EU cookie law

A year ago on 26 May 2011, the Information Commissioner published new guidance and announced that he would allow organisations a year-long period to work towards compliance with the new changes.

A year on and the ICO has hosted a media briefing, updated the guidance, written to a sample of more than 50 organisations behind popular websites and worked directly with others to help achieve compliance.

We’ve also spoken about the changes at over 30 events. We’ve been saying that we expect organisations to be on the path to compliance – which means that UK websites must provide visitors with sufficient information to make a decision on whether they are happy for a cookie to be placed on their device and obtain consent before placing a cookie.

We’ve stressed that there’s no ‘one size fits all approach’. We think that organisations themselves are best placed to develop their own solutions. They will know how and why their customers use their websites better than we do.

The Information Commissioner is responsible for enforcing the law, and can’t change the legislation which was passed by the EU, and later implemented by the Department for Culture, Media and Sport (DCMS).

In response to some of the frequently asked questions we’ve put together a short video to answer:

  1. How can UK organisations comply with the new cookies changes?
  2. Is the ICO concerned that many websites aren’t yet compliant?
  3. What approach will the ICO be adopting to enforcing the amended cookies laws?
  4. What are the benefits of complying with the new cookies regulations?
  5. What should members of the public do if they are concerned about cookies being placed on their device?
  6. How is the ICO working with web browsers and third party advertisers to ensure they comply with the changes?

(Video transcript. NB: playing YouTube video sets a cookie – more info.)


First issued in May 2011, the guidance has been updated to clarify the following points around implied consent:

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Download the ICO’s cookies guidance (pdf)
Read more about cookies in our guide to the Regulations

For the public

We have published cookies advice for members of the public that sets out some of the steps people can take to protect their online privacy. We have also recorded a short video to explain what they can do if they are concerned about cookies.

Feedback and reporting cookie concerns

We are inviting people to let us know about the sites they have concerns about by using our ‘Report your cookie concerns’ tool.

This will help us to monitor organisations’ adherence to the rule relating to cookies, and identify sectors where further advice or enforcement activity may be required. We will update our website with details of any action we are taking.

Dave EvansDave Evans managed the Business and Industry Group which develops and manages the ICO’s relations with its key stakeholders in the private sector and provides advice on a range of significant data protection policy areas. Dave left the ICO in July 2013.
This entry was posted in Dave Evans and tagged , , . Bookmark the permalink.