Across the EU, the law relating to the use and storage of cookies on computers and mobile devices changed on 25 May 2011. The new law requires that opt-in consent to use or store cookies is obtained from website users – rather than the opt-out that was previously the case.

The implementation of the new law varies across EU member states, depending on how individual countries have interpreted the directive. DLA Piper has published a summary of how the law has been implemented across the EU.

UK implementation of the Directive

The UK has adopted a strict interpretation for implementing the E-Privacy Directive into national law. The approach adopted means website operators that store or use cookies are required to obtain prior express opt-in consent from the user or subscriber.

The Information Commissioner (ICO), the UK’s data protection regulator, has given businesses until 25 May 2012 to comply. Failure to comply could not only mean reputational damage, but also fines of up to £500,000 ($800,000).

Cookie compliance guidance

The ICO has provided a number of guidance notes to assist with compliance with the UK law. On 13 December the ICO published its most recent guidance, which sets out the rules on use of cookies. To the disappointment of many website operators, the ICO emphasised that the changes are not going to go away.

So here are six steps that website owners should consider taking:

1. Check the types of cookies you use and how you use them

Identify the types of cookies and similar technologies used by your websites. You should note the name of the cookie, the duration of the cookie – for example, a single session, 24 hours or one year – whether it is first or third party, the domain to which it relates, and the purpose of the cookie.

2. Determine the intrusiveness of the cookies

Next, you should look at the purpose of the cookie and the information that it stores or collects. To be compliant with the law, the more intrusive the cookie, the higher the obligation to notify what it collects.

For example, a website that uses only analytic cookies – for example, for Google Analytics – will be low on the enforcement agenda of the UK’s ICO, compared with a website that uses more intrusive tracking and monitoring cookies.

3. Is consent needed?

The law includes an exception to the opt-in consent requirement, where the cookie is “strictly necessary” for the service requested by the user.

But this condition is narrowly interpreted and will apply only to things such as shopping basket-related cookies, but will not include cookies used for analytic purposes. You should assess whether the narrow “strictly necessary” exemption applies.

4. Consider the best solution for obtaining consent where required

Once you have identified and understand the nature of cookies being used, you should consider which mechanism to obtain consent would be best for your website.

The options suggested by the ICO include pop-ups, terms and conditions, settings-led consent, and features-led consent. There is no universal approach to consent, so managers, the tech team and legal advisers will have to determine the best approach.

5. Update your privacy policy

The law requires you to give the user “clear and comprehensive” information about the purposes of the cookies. This requirement means you will need to update your privacy policy and include comprehensive information about your use of cookies. You may have to provide a stand-alone cookie notice, depending on the types of cookie used by your website.

6. Check your agreement with third parties

One of the key issues for many websites is the use of third-party cookies, which often go under the radar in cookie audits. In your agreement with third-party service providers – such as advertising agencies, affiliates and marketing companies – you should think about including an obligation to assist you with compliance with the new law, and also provide you with detailed information about any third-party cookies that they control.

In the UK, businesses have until 25 May 2012 to ensure they have a solution in place. Adopting a wait-and-see approach will not be enough to protect them from enforcement risks.