Even in my original post I pointed out that this was unlikely. However, we now have some clarification. The EU has released some guidelines on how the legislation will be implemented (PDF download).
As somebody recently pointed out on a mailing list I subscribe to, the guidelines aren’t going to win any ‘plain english’ awards. I therefore thought a summary of some key points might help.
First, lets look at what steps you need to take.
What you need to do
Fortunately there is little that you need to do. Begin by ascertaining what cookies (if any) you use on your website and what they do.
There are two things in particular to look out for. First, do you store information on individuals in cookies and if so what information. Second, is the cookie stored on your server or elsewhere. This second point is important because it is third party cookies which the legislation is designed to stop. Fortunately, unless you are using advertising on your site, you are probably safe.
Once you have done an audit of the cookies, inform the user about their use. How you should do this will vary depending on the type of cookies you use and information collected.
The guidelines suggest a number of ways consent can be given, none of which strike me as particularly onerous. In fact in many cases the guidelines seem to suggest that a simple link to a page containing cookie information would be enough.
What about analytics
For many the biggest concern this legislation brought was that it would prevent the use of analytics. This is not the case.
On the last page of the guidelines they directly address the question of analytics. They write:
Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
In short as long as you tell the user that you are using analytics then you are in no serious danger.
How is the legislation going to be enforced
Like all guidelines these are open to interpretation and this creates fear of not complying correctly. However, failure to comply is not going to lead to automatic prosecution.
According to the guidelines, the initial step is to inform you that you are in breach of the regulations. This can lead on to an enforcement notice which compels you to make changes. Only if you ignore all of this do you face a possible monatary fine.
Obviously, I am not an expert in EU law and like the rest of you, I am trying to navigate my way through all of this. However from what I have read so far, this really isn’t turning into the doomsday scenario some have suggested.