UK Firms Get 12 Months Grace On Cookie Law

The Information Commissioner’s Office has announced that UK businesses running consumer websites will have up to 12 months to “get their house in order” before enforcement of the new EU cookies law begins.

The law, which comes into force today (26 May), is an amendment to the European Union’s Privacy and Electronic Communications Directive, and requires anyone running a website to get explicit opt-in consent from their visitors before deploying cookies.

The UK government has updated its own privacy and e-communications regulations to address the new EU requirement, but has said it does not expect the ICO to enforce this new rule straight away.

“This does not let everyone off the hook,” said Information Commissioner Christopher Graham. “Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

Choose your cookies wisely

Cookies are small sections of code that websites put on a users’ computers so that they can remember something. They are used primarily to enable websites to remember users’ preferences, but can also be used to track consumers’ browsing behaviour for targeted advertising purposes.

The technology has been treated with some hostility since the Phorm controversy in 2006 and 2007, when BT was discovered to be secretly trialling the behavioural advertising technology. Phorm uses tracking cookies to build a profile of users’ habits and interests based on the websites they visit and then assign targeted ads.

The new law will give people greater choice about whether or not they want their online behaviour to be tracked. However, the Information Commissioner (pictured) warned that implementation would be “challenging”. He added that browser settings will be an important part to the solution, but that the technology needed refining.

“It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups,” said Graham.

Earlier this week, Culture Minister Ed Vaizey sent an open letter (pdf) to UK businesses reassuring them them that the government’s approach to implementing the updated EU Privacy and Electronic Communications Directive would be “light touch” and “business friendly”.

The ICO has issued guidelines on how businesses should handle the changes to regulations, and has also implemented the changes on its own site, to offer a model of how to comply. However, Graham said that every website is different, and “prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers”.

Companies need to start planning

When enforcement of the law does finally begin, the ICO will have the power to issue fines of up to £500,000 to organisations that make unwarranted marketing phone calls or send unwanted marketing emails to consumers.

Commenting on the news, George Thompson, information security director at KPMG, said that companies need to start tightening up their data management policies now, in order to avoid fines when the new law starts being enforced next year.

“Hardly any companies have made a pre-emptive move to request permission to use cookies. This in itself is surprising, but even then, organisations need an accurate record of who has and has not consented – and this cannot be done retrospectively,” he said.

“The new law inadvertently makes the collection of consent – yet another set of sensitive, customer data – compulsory. Companies need to tighten up their data management policies and make absolutely sure that every new data composition is covered.”