UK Firms Get 12 Months Grace On Cookie Law

The Information Commissioner’s Office has announced that UK businesses running consumer websites will have up to 12 months to “get their house in order” before enforcement of the new EU cookies law begins.

The law, which comes into force today (26 May), is an amendment to the European Union’s Privacy and Electronic Communications Directive, and requires anyone running a website to get explicit opt-in consent from their visitors before deploying cookies.

The UK government has updated its own privacy and e-communications regulations to address the new EU requirement, but has said it does not expect the ICO to enforce this new rule straight away.

“This does not let everyone off the hook,” said Information Commissioner Christopher Graham. “Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

Choose your cookies wisely

Cookies are small sections of code that websites put on a users’ computers so that they can remember something. They are used primarily to enable websites to remember users’ preferences, but can also be used to track consumers’ browsing behaviour for targeted advertising purposes.

The technology has been treated with some hostility since the Phorm controversy in 2006 and 2007, when BT was discovered to be secretly trialling the behavioural advertising technology. Phorm uses tracking cookies to build a profile of users’ habits and interests based on the websites they visit and then assign targeted ads.

The new law will give people greater choice about whether or not they want their online behaviour to be tracked. However, the Information Commissioner (pictured) warned that implementation would be “challenging”. He added that browser settings will be an important part to the solution, but that the technology needed refining.

“It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups,” said Graham.

Earlier this week, Culture Minister Ed Vaizey sent an open letter (pdf) to UK businesses reassuring them them that the government’s approach to implementing the updated EU Privacy and Electronic Communications Directive would be “light touch” and “business friendly”.

The ICO has issued guidelines on how businesses should handle the changes to regulations, and has also implemented the changes on its own site, to offer a model of how to comply. However, Graham said that every website is different, and “prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers”.

Companies need to start planning

When enforcement of the law does finally begin, the ICO will have the power to issue fines of up to £500,000 to organisations that make unwarranted marketing phone calls or send unwanted marketing emails to consumers.

Commenting on the news, George Thompson, information security director at KPMG, said that companies need to start tightening up their data management policies now, in order to avoid fines when the new law starts being enforced next year.

“Hardly any companies have made a pre-emptive move to request permission to use cookies. This in itself is surprising, but even then, organisations need an accurate record of who has and has not consented – and this cannot be done retrospectively,” he said.

“The new law inadvertently makes the collection of consent – yet another set of sensitive, customer data – compulsory. Companies need to tighten up their data management policies and make absolutely sure that every new data composition is covered.”

Sophie Curtis

View Comments

  • Will this new EU law include session cookies which only sit in the browser and expire as soon as the browers is closed???

  • I'm sure the larger companies will introduce some suitable solutions for their even large customer databases.

    However, it will be the majority of smaller online businesses that will struggle to implement this in a timely and effective manner. Most of these smaller online companies will only be invovlved in collecting analytics data regarding their visitor numbers etc; compliance will be just the same for eveyone.

    A very timely update Sophie of the new EU cookie regulations.

Recent Posts

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

2 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

2 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

3 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

19 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

20 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

21 hours ago