Feeds

ICO warns: Just six months to comply with EC cookie rules

No 'wave of knee-jerk enforcement' come 26 May, tho

Providing a secure and efficient Helpdesk

The Information Commissioner's Office won't begin enforcing the new cookies law for another six months yet - in the meantime, the regulator has issued a reminder to web outfits warning them to prepare to comply with the legislation.

On 25 May 2011, the implementation of the revised e-Privacy Directive passed with a whimper rather than a bang, after just two Member States issued a full notification to Brussels. The remaining 25 countries that make up the European Union failed to meet that deadline.

The UK at that point had offered Brussels officials partial notifications, despite the fact that the Commission had clearly stated that the implementation of all the measures detailed in the directive were required to be transposed into national law.

European Commissioner Viviane Reding told this reporter in June that she was surprised by how many member states had ignored the deadline for implementing the ePrivacy Directive, which included a requirement for businesses to be much more upfront about their use of cookies online.

"I always meet people who are astonished that Christmas is on the 25th of December. I always encounter governments that are astonished that a law that has been voted for two or three years before has to be applied on that date … That is not just on the cookies, but a general problem, which I have normally," she said.

"This decision doesn’t come out of the blue. That was the Council of Ministers plus the European Parliament who had done this together … You decide something, you apply it. If you don’t we bring the country to the court."

However, the UK government made the decision to effectively free up web owners from the burden of complying to the directive that required sites within the EU to obtain a visitor's consent to install a cookie in their browser, by deferring enforcement of the law for one year.

And now, Blighty's data protection watchdog is having another punt at playing the friendly policeman with website owners operating in the UK.

“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like," said Information Commissioner Christopher Graham.

"We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

However, fines of up to £500,000 could be levied against those web outfits that fail to get their cookie-tracking in order come mid-2012.

“Our mid-term report can be summed up by the schoolteacher’s favourite clichés 'could do better' and 'must try harder.' Many people running websites will still be thinking that implementing the law is an impossible task," said Graham.

"But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?"

He added that "prescriptive check lists" would not be issued by the ICO.

In May, the government confirmed it was working with Mozilla, Apple, Microsoft, Google, Yahoo, Adobe and the Internet Advertising Bureau to come up with a browser solution to obtaining users' consent.

At the time, it indicated that coming up with a browser setting that helped websites comply with the directive was - in part - the reason behind the ICO delaying enforcement for a year.

The ICO noted yesterday that: "Achieving compliance in relation to third party cookies is one of the most challenging areas," it said, thereby flagging up one of the main issues website owners have with the directive.

"The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers."

That comment seemed to suggest that it's now open season for any web outfits in the UK lobbying for tracking online behaviour without requesting consent just as the six-month countdown to compliance begins... ®

Internet Security Threat Report 2014

More from The Register

next story
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.