UK Firms Get 12 Months Grace On Cookie Law

The Information Commissioner’s Office has announced that UK businesses running consumer websites will have up to 12 months to “get their house in order” before enforcement of the new EU cookies law begins.

The law, which comes into force today (26 May), is an amendment to the European Union’s Privacy and Electronic Communications Directive, and requires anyone running a website to get explicit opt-in consent from their visitors before deploying cookies.

The UK government has updated its own privacy and e-communications regulations to address the new EU requirement, but has said it does not expect the ICO to enforce this new rule straight away.

“This does not let everyone off the hook,” said Information Commissioner Christopher Graham. “Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

Choose your cookies wisely

Cookies are small sections of code that websites put on a users’ computers so that they can remember something. They are used primarily to enable websites to remember users’ preferences, but can also be used to track consumers’ browsing behaviour for targeted advertising purposes.

The technology has been treated with some hostility since the Phorm controversy in 2006 and 2007, when BT was discovered to be secretly trialling the behavioural advertising technology. Phorm uses tracking cookies to build a profile of users’ habits and interests based on the websites they visit and then assign targeted ads.

The new law will give people greater choice about whether or not they want their online behaviour to be tracked. However, the Information Commissioner (pictured) warned that implementation would be “challenging”. He added that browser settings will be an important part to the solution, but that the technology needed refining.

“It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups,” said Graham.

Earlier this week, Culture Minister Ed Vaizey sent an open letter (pdf) to UK businesses reassuring them them that the government’s approach to implementing the updated EU Privacy and Electronic Communications Directive would be “light touch” and “business friendly”.

The ICO has issued guidelines on how businesses should handle the changes to regulations, and has also implemented the changes on its own site, to offer a model of how to comply. However, Graham said that every website is different, and “prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers”.

Companies need to start planning

When enforcement of the law does finally begin, the ICO will have the power to issue fines of up to £500,000 to organisations that make unwarranted marketing phone calls or send unwanted marketing emails to consumers.

Commenting on the news, George Thompson, information security director at KPMG, said that companies need to start tightening up their data management policies now, in order to avoid fines when the new law starts being enforced next year.

“Hardly any companies have made a pre-emptive move to request permission to use cookies. This in itself is surprising, but even then, organisations need an accurate record of who has and has not consented – and this cannot be done retrospectively,” he said.

“The new law inadvertently makes the collection of consent – yet another set of sensitive, customer data – compulsory. Companies need to tighten up their data management policies and make absolutely sure that every new data composition is covered.”

Sophie Curtis

View Comments

  • Will this new EU law include session cookies which only sit in the browser and expire as soon as the browers is closed???

  • I'm sure the larger companies will introduce some suitable solutions for their even large customer databases.

    However, it will be the majority of smaller online businesses that will struggle to implement this in a timely and effective manner. Most of these smaller online companies will only be invovlved in collecting analytics data regarding their visitor numbers etc; compliance will be just the same for eveyone.

    A very timely update Sophie of the new EU cookie regulations.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

11 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

14 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

15 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

16 hours ago