Website Legal Requirements – Cookies – Non-compliance of Public Authority Websites

As a result of changes to the EU Privacy and Electronic Communications Directive it is unlawful to use cookies to collect user data without first obtaining explicit consent. In a recent audit of over 600 public sector websites only 1% complied with the new cookie law.

Website  Audit

The Society for Local Authority IT Managers (Socitm), an independent organisation funded through the membership of local government IT workers, recently carried out an audit of UK public sector websites. Using automated search technology it audited over 600 public sector websites and discovered that only 6 complied with the obligation to obtain informed consent to the use of cookies.

Prior to carrying out the audit each organisation was asked to estimate how many cookies they used on their website. Most organisations substantially underestimated the number of cookies they used.

Legal Implications

By May 2012, the UK Information Commissioner’s Office (ICO) expects businesses and organisations to:

  • provide clear information about the way in which cookies are operating on websites; and
  • have a method for obtaining consent to the use of cookies.

A failure to comply with the above runs the risk of a fine of up to 500,000 GBP.

In addition the European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time.


The ICO has published guidelines on its website. Nevertheless, in each individual case the specific action required and the information to be given to users will depend upon the precise purpose of the cookie(s). For example using browser settings to obtain consent may be acceptable and the Government is currently working with Adobe, Apple, Google, Microsoft, Mozilla and Yahoo to create such a technological solution. However, it is not clear whether or not this will suffice to meet European data protections requirements.

It is also unclear whether companies based outside of the UK i.e. in the USA have to comply with the new rules, particularly if they have a website aimed at UK users.


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: