Back in early May I asked the ICO to confirm the status of Jersey-hosted websites in relation to the extension of the updated EU legislation on cookies to the UK. I’ve received the following reply:
Dear Mr Robins
Thank you for your correspondence dated 9 May 2011.
I apologise for the lengthy delay in responding to you; we have been handling a high volume of enquiries which has unfortunately meant we have been unable to respond as promptly as we would like.
I understand that you wish to know whether your Jersey-based clients need to comply with the UK’s implementation of the new EU legislation in respect of cookies.
If your clients are operating in the UK (irrespective of whether their websites are technically hosted elsewhere) then those clients would be subject to UK law.
Where your clients are operating outside the EU with customers within the EU then those clients should comply with the rules in the countries which they are operating within. From a best practice and reputational perspective (that is, from the perspective of promoting customer confidence et cetera), those clients would surely want to try to comply with the EU’s rules in this area. However, whilst this would be a best practice approach, any ICO (or other EU equivalents) enforcement of breaches of these rules by non-EU based organisations could be difficult from a practical point of view.
I hope that this information is helpful.
Information Commissioner’s Office
It’s a pragmatic response; especially the last point about enforcement outside the EU.
I think this validates Webreality’s earlier advice that visible compliance is a good idea in terms of customer relations, as long as you do not give yourself a competitive disadvantage in the process.