The ICO’s advice for businesses on upcoming privacy regulations has been criticised for being ‘generic’
The Information Commissioner’s Office (ICO) has issued guidelines on how businesses should handle the upcoming changes to regulations affecting web browser cookies.
The nine-page document (PDF) is intended to give companies a better idea of what to expect when the legal changes come into effect on 26 May, according to the ICO.
The changes derive from an amendment to the EU’s Privacy and Electronic Communications Directive, which require companies to get permission from users before tracking their activities with cookies. Previously companies only needed to inform users they were using cookies, and provide information on how they could opt out.
The ICO admitted that the document is a work in progress, and emphasised that there is no single approach that will work for every organisation.
“Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent,” the ICO said in the document.”The more privacy intrusive your activity, the more you will need to do to get meaningful consent.”
The ICO has said it is planning to bring in enforcement in phases, and does not expect companies to immediately achieve perfect compliance. At the same time, companies must be seen to be making an effort to work out how they will deal with the new law, the ICO said.
“If the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance,” the ICO said in the document. “We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.”
The ICO said possible penalties for those who don’t comply will be outlined in a separate document.
While some industry observers welcomed the ICO’s open and flexible approach, others argued that, in essence, it means that the burden is on companies to untangle the legal implications for themselves. And that will not come for free, according to City law firm Speechly Bircham.
“The haphazard way in which the Directive is still being interpreted across Europe coupled with the generic nature of these guidelines means that these changes – although certainly necessary in the short term – will do some damage to UK Plc’s balance sheet to start off with,” said Speechly Bircham partner Robert Bond in a statement. “The Government is clearly reaffirming their position that businesses must self-regulate and self-audit.”
Expenses could range from internal audits to third-party legal and IT input, according to Bond.
In March Information Commissioner Christopher Graham said businesses and other organisations running websites in the UK must ‘wake up’ to the fact that the new regulations are coming into force soon.
“Once the new regulations are published there will be a major job of education and guidance to be undertaken,” Graham said at the time. “In the meantime, both the business community and public sector organisations need to start thinking clearly about how they will meet the requirements of the new Directive.”