Cookie Penalty

The ICO has indicated that during the next twelve months it will not be taking any enforcement action against companies that can show that they are considering their use of cookies and working on solutions to the problem of obtaining consent.  The key message from the ICO is that inaction is not acceptable. If the ICO is of the view that organisations are not making adequate preparations to be compliant by May 2012 a warning may be issued as to the use of the Information Commissioner's future powers.

After May 2012 the ICO will follow the approach to enforcement set out in the Commissioner's Data Protection Regulatory Action Policy. In deciding whether enforcement action is appropriate the ICO will be concerned with the impact of the breach of the new cookie law on the privacy and other rights of website users, not just with if there has been a technical breach of the UK Regulations.

The UK Regulations carry a maximum fine of 500,000 for serious breaches. It is anticipated that this power will only be used in limited circumstances. Before this the fine was 5,000 and companies may have been willing to run the risk but with these increased powers the result of enforcement action is potentially more severe.