ICO claims websites must try harder on cookie compliance - and encourages looking at other sites for guidance

News by Dan Raywood

Websites have been ordered to 'try harder' by the Information Commissioner's Office when it comes to new laws on cookies.

Websites have been ordered to ‘try harder' by the Information Commissioner's Office when it comes to new laws on cookies.

Initially detailed by SC Magazine in March, the new laws will mean that websites will have to gain ‘explicit consent' from visitors to store or access information on their computers from Thursday 26 May.

However, on 25 May, the ICO announced that businesses would be given a year's grace to get their websites prepared for the new rules.

But at the mid-point between announcement and enforcement, Information Commissioner Christopher Graham said that website owners "must try harder" to comply with the cookies law.

In its half-term report, the ICO denied that the rulings will 'kill' the internet, but it recognised that compliance could not be achieved overnight and that the internet could not be switched off and on again to achieve compliance.

He said: “What I want to see are good solutions rather than rushed ones and that was why, when we published the guidance, I made it clear that there would be a 12 month lead-in period during which it was unlikely that the Commissioner would take formal action against organisations that were not complying with the new law.

“This was not a suspension of the law and I did not rule out taking action where there was an egregious breach, but it is not good regulation to punish people for things they do not yet understand or where the tools for compliance are in development.”

He claimed that although very few sites were perfectly compliant from day one, there are good things being done and without endorsing specific products or services, he said there are people going about this the right way.

He said: “I am glad to see them following the advice, setting the standards and of course, learning as they go because if someone else contacts my office wanting to know how to comply, it is much better for us to point them towards an example of something that really works than simply tell them what we think might work.”

Graham also said that after 26 May 2012, there will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant and, if you are working towards compliance and following guidance, then he said to keep going.

“If you haven't started yet, you need to be reading the advice, speaking to your peers, looking at how other websites inform and empower their users,” he said.

“But if you have decided that this is all too difficult, that you don't want to give your users choices about how your web pages might collect information about them or that you will get around the law by wilfully misleading people about what you do and how you do it, then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.”

In his overall impressions, Graham said that he does not expect every website to be well on the way to compliance with the new rule, but if a website uses cookies and is not doing anything to get user consent, then it is not compliant.

Graham concluded by saying: “There is no silver bullet and we are not expecting you to invent one. If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take.

“Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.”

He recommended that websites be honest with registered users and "do whatever you can to demonstrate your compliance".

“Three things will help: following the ICO advice, looking for and implementing the ‘quick wins' and keeping an eye out for industry or sectoral standards and codes. After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask “if they can do it, why can't you?," he said.

Stewart Room, partner at Field Fisher Waterhouse, said: “As half a year approaches to the cookie law, no one is going to be ready for this so they either fine everyone or offer some guidance on how to manage this.

“The real problem is that there is no clear guidance from the government, ICO or EU on compliance, there is nothing on the functionality and websites need a solution. What does a functional solution look like? Having multiple pop-ups will ruin the browsing experience but the problem is that businesses want pragmatic guidance and the law and regulators want much more, but it is unclear as to what the rule is.

“They have not got a ruleshare on the right approach. This is not likely to change any time soon so businesses have to follow the letter of the law and they are left with a functionality that is user friendly and does damage in terms of the user experience. Is this a price worth paying?”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews