A new law came into effect in the U.K. this past weekend which requires U.K.-based websites to receive consent from visitors before using cookies to store tracking information about them. Though the law originally called for visitors to explicitly opt-in with the use of a checkbox or similar method, the Information Commissioner’s Office (ICO), an independent privacy watchdog, backpedaled just 48 hours before the law was to come into force and watered down the legislation to allow "implied consent" - in other words, websites can assume users have already consented to the use of cookies.

Cookies are small files usually made up of text and numbers which are used by websites to communicate with the device that is accessing said website. Cookies come in varying types and often store harmless information such as if the user is a repeat visitor, or their approximate location. While cookies such as these are rarely a cause for alarm, concerns have been raised toward the prevalence of a more invasive form of cookie, used to track the browsing habits of web users and offer personally catered advertisements.

The cookie law originates from a 2003 European Directive (2002/58/EC) concerned with the protection of privacy with regard to electronic communications. Though this 2003 law did not demand consent for the storage of cookies, a later amendment in 2009 made such a requirement law and each EU member state was given until 25th May 2011 to implement their own laws to reflect this change. The U.K. introduced the amendments on 25th May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and then allowed a grace period of one year for website owners to come into line.

Visitors to the BBC website are shown this message

However, as the deadline approached it became apparent that most websites, including some in use by the U.K. government itself, would be unable meet the required standards set out by the law and thus the law was watered-down. The cookie law does contain provisions for a conceivable fine of up to £500,000 (approximately US$784,000) which could be levied against offenders, but the ICO insists that it will be offering guidance, not punishment, to those who fail to meet the new standards.

Citing a survey conducted by PriceWaterhouseCoopers LLP (PWC), the ICO's own cookies guidance PDF states that only 13 percent of respondents indicated that they fully understood how cookies work.

Source: ICO