Websites targeted at UK users are to be given a one-year grace period before they could face enforcement over the new cookie law.
Information Commissioner Christopher Graham said that the UK government's revision of the Privacy and Electronic Communications Regulations, which come into force in the UK on the 26th May to address new EU requirements, make it clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users' computers.
The new rules include: guidance on how the ICO will enforce the new rules on cookies; help for consumers on what the new rules will mean for them and how to complain; and information on what the ICO itself is doing to comply with the new rules in respect of its own website.
Graham said: “I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users' browsing experience if they needed to negotiate endless pop ups and I am not saying that businesses have to go down that road.
“Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That's why I'm taking a common sense approach that takes both views into account.
“Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren't there yet. In the meantime, although there isn't a formal transitional period in the regulations, the government has said they don't expect the ICO to enforce this new rule straight away. So we're giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
He went to say that every website is different and prescriptive ‘to do' lists would only hinder rather than help businesses to find a solution that works best for them and their customers, so it will supplement its guidelines with real-life examples as time goes on.
Paul Vlissidis, technical director of NGS Secure, an NCC Group company, said that given the lack of any current action, it is unlikely that any EU nation will be able to enforce or even police the directive proactively in the short-term.
“While the ICO's guidelines are a good starting point for a company to review its online presence, more comprehensive investigations will be required in the long term as member nations rulings become more stringent. We would call on companies not to wait and get caught out by the directive, but to review procedures now,” he said.
“While many in the technology industry (particularly in the behavioural advertising sector, the biggest users of cookies) are unhappy with the directive, we do believe that protecting consumers and business privacy online is of upmost importance. Not only should this be the responsibility of the website provider, but also the browser industry and the user themselves.
George Thompson, information security director at KPMG, said: “Very few organisations are ready to meet this new burden of proof, despite a recent spate of high profile, commercially damaging data breaches and incidents of loss. We are yet to see how the ICO will wield its new powers, but the inevitable audits will surely uncover some very painful truths about risk and compliance.
Andreas Edler, managing director at hosting company Hostway, said: “The guidelines produced by the ICO seem to pose more questions than answers. It still is unclear how the law applies to the average small business or what changes users need to make in order to comply with the legislation.
“The legislation has good intentions in aiming to help protect peoples' online privacy but it has opened up a minefield of compliance issues. The government really should have taken a more proactive approach towards its implementation. After all, this has been in discussion amongst EU members, including the UK, since September last year, so why only now is the ICO starting to treat it as a matter of priority? Clearly, most businesses and organisations won't have been able to make the changes by the 26th May deadline.
“In my view, this is really making a mockery of the law. Why implement a law when you have only just started to tell people what they can do to abide by it? In our opinion, the introduction of the law should be delayed until such a time as people can be reasonably expected to comply with it.”
“I think it's a bit like driving. We know cars are dangerous. Everyone knows the risk when we get in the car and we prosecute reckless and dangerous drivers. That's what the law is like currently. The new EU proposals are like asking us to get all of our passengers to sign an agreement knowing of the risk. It concentrates on the paperwork, not making people safer. All in all a great opportunity missed.”