Feeds

ICO on new Cookie Law: 'Don't expect torrent of enforcement action'

Plans to wait for user complaints as the law comes into effect

Beginner's guide to SSL certificates

Amid criticism that hardly any UK government websites comply with the new EU-mandated "Cookie Law" that comes into force on 27 May, the ICO has announced that it will be sending out some letters, and then waiting for people to complain.

The ICO will send out 50 letters to the UK's biggest websites over the next few days, its deputy commissioner, David Smith, has announced. At a press conference this morning, Smith said the ICO planned to ask the sites to show that they are asking users' consent for any cookies the websites are using to track their behaviour.

After that, the ICO will wait for users to complain about cookies on particular sites before investigating individual organisations for breaching the data protection law.

Cookie Law crunches into force

The Cookie Law officially came into force last year as part of the EU Privacy Act, but the UK allowed a year-long grace period during which the law was not actually enforced in order for businesses to work towards complying with it. However the measures announced today by the ICO seem to suggest that enforcement will be reactive and based on user complaints.

The end of the safe period "doesn't mean the ICO is going to launch a torrent of enforcement action" said the deputy commissioner and it would take serious breaches of data protection that caused "significant distress" to attract the maximum £0.5m non-compliance fine.

The 50 UK sites that the ICO is targeting will be ones that have the most unique users or are particularly well-known, the deputy commissioner said, and that may include government department sites. Government websites came in for a slating when it was found that many of them did not comply with the cookie legislation that the government is trying to bring in.

What organisations need to do

Companies didn't need to hire in consultants, said the ICO's David Evans, liaison manager for business and industry, but they did need to demonstrate awareness of the laws and some kind of action plan.

We don't expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.

The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about they're going to inform users.

Evans stressed that consumers would have to be informed in an unambiguous, clear way – so no small print legalese jammed at the bottom of a webpage. Websites would also have to take account of who their users are when drafting the notices: "Different websites have different demographics and that means that they have to explain cookies differently," said Evans.

Asked whether the ICO thought users knew enough to be able to consent to cookie agreements, Evans said: "We're not asking that user education has to give everyone a masters in computer science." He added that the legal definition of consent did not ask for proof that users understood what they were doing.

But the ICO will consider that websites will be responsible for all cookies on their site: even if the cookies come from third parties – for example from adverts provided by an advertising service. Sites that host advertising need to talk to their advertisers about what cookies the advertisers are serving up and then pass that information onto users.

"It's a complicated chain, I know," said the deputy commissioner, saying that they were in talks with advertising bodies about standards.

And the organisations that don't need to do anything

The businesses that are exempted from having to comply with the Cookie Law include search engines and social networks – most notably Facebook and Google – which are not based in the UK, as they do not fall under the ICO or EU remit.

The deputy commissioner said that the law would not affect offshore companies who had no physical presence in the UK.

And then things could get messy across the EU as well: All EU countries have to meet the same legal requirements – the Cookie Law is EU-wide – but with different enforcement bodies in different countries, they could all enforce it in different ways.

Smith said:

We have to work with our EU colleagues and the Do Not Track movement in the States, but at the moment we're focusing on UK sites.

®

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Big Content outs piracy hotbeds: São Paulo, Beijing ... TORONTO?
MPAA calls Canadians a bunch of bootlegging movie thieves
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.