In a document advising businesses on the EU’s new rules on collecting Internet cookies, the UK’s Information Commissioner has warned that relying on users’ browser settings will not be enough to remain compliant.

As of 26th May 2011, businesses will be obliged by law to ask users’ consent before collect Internet cookies – the short text files stored on the user’s computer that allows website operators to track their preferences and browsing history.

It has been suggested that an update to browser software allowing the user to give blanket consent to any website they visit might be enough to resolve the issue.

However, the ICO has advised business against relying on this possibility.

"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie," it said in a document published today. "Also, not everyone who visits your site will do so using a browser.  They may, for example, have used an application on their mobile device."

"So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."

Those other means could include a pop-up box asking for consent, including consent in the terms and conditions of products and services or including it in user settings.

The ICO also explained that cookies that are considered "strictly necessary" to providing a service are exempt from the new rules. These include cookies that are created when the user is making a payment.
 
The EU’s definition of which cookies are "strictly necessary" depends on whether the user has "explicitly requested" the service in question. "The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website."  

The guiding principle should be the potential impact on a user’s privacy, the ICO said. "The more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent."

It added that should it receive a complaint about a website operator’s use of cookies, it will look at what attempts the company in question has made to accomodate the new rules when deciding on a course of action. "We would expect an organisation’s response to set out how they have considered the [new rules] and that they have a realistic plan to achieve compliance."

In light of the ICO’s recommendations, City law firm Speechly Bircham described the new rules as "incredibly onerous" for website operators.

"Businesses who wish to protect their reputation will face a number of costly challenges ranging from extensive internal audits to determine what operational mechanisms they need to put in place, to third party expenses such as legal and IT input on how to become fully compliant," said partner Robert Bond in a statement.

"While it is laudable that the EU is attempting to increase Internet users’ privacy, the haphazard way in which the directive is still being interpreted across Europe coupled with the generic nature of these guidelines means that these changes… will do some damage to UK plc’s balance sheet to start off with."