Cookie law could lead to new 'Bodil Lindqvist' cases
Cookie law could lead to new 'Bodil Lindqvist' cases

The Information Commissioner's Office (ICO) has begun issuing letters regarding its new laws on cookies.

The letter said that its purpose was "to gather information to assist the commissioner in understanding how organisations are working towards, or have achieved compliance with, the revised rules for cookies" and was directed at "the most popular [sites] used by the general public".

It said: “Our expectation is that you will now be able to demonstrate the action your organisation has taken to comply with the revised rules for cookies.

“If your organisation has not yet achieved compliance, please provide an explanation about why it has not been possible to comply within time, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.

“It will assist the Information Commissioner if you could also explain what you are doing to ensure users are aware of any third-party activity, such as analytics or advertising, taking place on your website, and what information you are providing to users about how to control that third-party activity via their browser.”

The amendment to the European Commission's Privacy and Electronic Communications Directive came into force in May 2011, but information commissioner Christopher Graham gave British organisations a year to conform.

Peter Gooch, privacy director at Deloitte, said: “A number of grey areas remain. For example, a website might sell some of its space for marketing, which is auctioned in real time to advertisers, making it near impossible to show users immediately which cookies are going to be used. The questions over where responsibility lies in this situation also require further clarification.

“What is clear is that doing nothing is not an option. While the ICO has issued some guidance on recommended approaches, [where] opt-in consent (for instance a pop-up requesting consent) [or] implied consent (for instance where a user closes that pop-up without choosing ‘yes' or ‘no') might be suitable is still in debate.

“However, where companies are taking practical steps to identify and categorise the cookies they use and put in place plans for compliance, they may be less likely to be pursued by the regulator, at least in the near term.”

Rob Rachwald, director of security strategy at Imperva, said: “The good news is that most consumers have no clue about what cookies do and just how much personal information they help websites harvest. Websites and internet technology have become so complex that it is impossible for a typical consumer to understand the implications of a simple click.

“This law will hopefully help consumers understand that cookies are the keys to personal information and present a threat if exploited, stolen, altered, harvested or hijacked.

"The bad news? The law is ambiguous. In the past, regulators have made regulations intentionally vague. The legislative thinking is that ambiguity forces the private sector to experiment with different approaches until somewhere, somehow, someone finds the right way. The rest of the market soon follows the lead.

“The lesson from PCI is that suggesting a precise approach, even one created by the private sector, removes a lot of guesswork and the time to compliance accelerates. For some time, we can expect to see a lot of confused consumers and companies.”