The Information Commissioner’s Office has announced that UK businesses running consumer websites will have up to 12 months to “get their house in order” before enforcement of the new EU cookies law begins.
The law, which comes into force today (26 May), is an amendment to the European Union’s Privacy and Electronic Communications Directive, and requires anyone running a website to get explicit opt-in consent from their visitors before deploying cookies.
The UK government has updated its own privacy and e-communications regulations to address the new EU requirement, but has said it does not expect the ICO to enforce this new rule straight away.
“This does not let everyone off the hook,” said Information Commissioner Christopher Graham. “Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
Cookies are small sections of code that websites put on a users’ computers so that they can remember something. They are used primarily to enable websites to remember users’ preferences, but can also be used to track consumers’ browsing behaviour for targeted advertising purposes.
The technology has been treated with some hostility since the Phorm controversy in 2006 and 2007, when BT was discovered to be secretly trialling the behavioural advertising technology. Phorm uses tracking cookies to build a profile of users’ habits and interests based on the websites they visit and then assign targeted ads.
“It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups,” said Graham.
Earlier this week, Culture Minister Ed Vaizey sent an open letter (pdf) to UK businesses reassuring them them that the government’s approach to implementing the updated EU Privacy and Electronic Communications Directive would be “light touch” and “business friendly”.
The ICO has issued guidelines on how businesses should handle the changes to regulations, and has also implemented the changes on its own site, to offer a model of how to comply. However, Graham said that every website is different, and “prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers”.
When enforcement of the law does finally begin, the ICO will have the power to issue fines of up to £500,000 to organisations that make unwarranted marketing phone calls or send unwanted marketing emails to consumers.
Commenting on the news, George Thompson, information security director at KPMG, said that companies need to start tightening up their data management policies now, in order to avoid fines when the new law starts being enforced next year.
“Hardly any companies have made a pre-emptive move to request permission to use cookies. This in itself is surprising, but even then, organisations need an accurate record of who has and has not consented – and this cannot be done retrospectively,” he said.
“The new law inadvertently makes the collection of consent – yet another set of sensitive, customer data – compulsory. Companies need to tighten up their data management policies and make absolutely sure that every new data composition is covered.”
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Will this new EU law include session cookies which only sit in the browser and expire as soon as the browers is closed???
I'm sure the larger companies will introduce some suitable solutions for their even large customer databases.
However, it will be the majority of smaller online businesses that will struggle to implement this in a timely and effective manner. Most of these smaller online companies will only be invovlved in collecting analytics data regarding their visitor numbers etc; compliance will be just the same for eveyone.
A very timely update Sophie of the new EU cookie regulations.
http://cookies.dev.wolf-software.com & http://countdown.wolf-software.com, a couple of things we have provided to try to assist with the new law.