The updated Directive came into force on 26 May 2011, which means all EU countries should have brought the new requirements over cookie usage into law. There is some leeway and discretion on how Directives are interpreted by each individual EU member country. However most EU countries haven’t done anything about meeting the new requirements at all, only Denmark and Estonia have attempted to comply by the deadline.
The ICO will be currently satisfied if your business is preparing for a change in law on website cookie usage, and if your business makes an effort to inform consumers about your website’s cookie usage. Therefore, at this time I advise the following approach in order to avoid fines and to prepare for compliance.
1. Conduct an audit of ALL Cookie usage
This business wide audit must cover all Internet facing websites and web applications. Record all cookie usage, including similar technologies like flash cookies, ensure you detail how each cookie is technically being used by the website/web application, and log the type of information stored within the cookie file (on local consumer’s PC). Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.
2. If it exists, take a copy of the current website privacy and/or cookie statement
3. Create (or) update the website privacy/cookie statement, to include details of cookie usage. For example, review The Guardian’s Newspapers website cookie statement, which makes an good example covering most types of Cookie usage - http://www.guardian.co.uk/help/privacy-policy#cookies
4. Make sure your privacy/cookie statement explains in plain English what a cookie actually is. http://www.allaboutcookies.org/
5; Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.
So get the audit done and update your website privacy statement accordingly. After all it shouldn’t take too long, and this has a very low cost to deliver. It is the right thing to provide this type of information to your customers, plus it will protect your business from criticism and fines.
Finally the last step is to wait until there is a further announcement by the UK government. I suggest not wasting any of your time and money in trying to develop a cookie acceptance box for your website. The ICO website has such an acceptance tick box http://www.ico.gov.uk/, however it is an epic fail, as you don’t need to tick the ICO acceptance in order to use the website!
How will the UK deal with "Consent"
This is speculation, but to my knowledge none of the UK government agencies and departments involved with addressing the EU Directive are even considering a solution which involves the website/web application code blocking a cookie prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions with ICO.
"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the directive"