Feeds

ICO on new Cookie Law: 'Don't expect torrent of enforcement action'

Plans to wait for user complaints as the law comes into effect

The essential guide to IT transformation

Amid criticism that hardly any UK government websites comply with the new EU-mandated "Cookie Law" that comes into force on 27 May, the ICO has announced that it will be sending out some letters, and then waiting for people to complain.

The ICO will send out 50 letters to the UK's biggest websites over the next few days, its deputy commissioner, David Smith, has announced. At a press conference this morning, Smith said the ICO planned to ask the sites to show that they are asking users' consent for any cookies the websites are using to track their behaviour.

After that, the ICO will wait for users to complain about cookies on particular sites before investigating individual organisations for breaching the data protection law.

Cookie Law crunches into force

The Cookie Law officially came into force last year as part of the EU Privacy Act, but the UK allowed a year-long grace period during which the law was not actually enforced in order for businesses to work towards complying with it. However the measures announced today by the ICO seem to suggest that enforcement will be reactive and based on user complaints.

The end of the safe period "doesn't mean the ICO is going to launch a torrent of enforcement action" said the deputy commissioner and it would take serious breaches of data protection that caused "significant distress" to attract the maximum £0.5m non-compliance fine.

The 50 UK sites that the ICO is targeting will be ones that have the most unique users or are particularly well-known, the deputy commissioner said, and that may include government department sites. Government websites came in for a slating when it was found that many of them did not comply with the cookie legislation that the government is trying to bring in.

What organisations need to do

Companies didn't need to hire in consultants, said the ICO's David Evans, liaison manager for business and industry, but they did need to demonstrate awareness of the laws and some kind of action plan.

We don't expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.

The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about they're going to inform users.

Evans stressed that consumers would have to be informed in an unambiguous, clear way – so no small print legalese jammed at the bottom of a webpage. Websites would also have to take account of who their users are when drafting the notices: "Different websites have different demographics and that means that they have to explain cookies differently," said Evans.

Asked whether the ICO thought users knew enough to be able to consent to cookie agreements, Evans said: "We're not asking that user education has to give everyone a masters in computer science." He added that the legal definition of consent did not ask for proof that users understood what they were doing.

But the ICO will consider that websites will be responsible for all cookies on their site: even if the cookies come from third parties – for example from adverts provided by an advertising service. Sites that host advertising need to talk to their advertisers about what cookies the advertisers are serving up and then pass that information onto users.

"It's a complicated chain, I know," said the deputy commissioner, saying that they were in talks with advertising bodies about standards.

And the organisations that don't need to do anything

The businesses that are exempted from having to comply with the Cookie Law include search engines and social networks – most notably Facebook and Google – which are not based in the UK, as they do not fall under the ICO or EU remit.

The deputy commissioner said that the law would not affect offshore companies who had no physical presence in the UK.

And then things could get messy across the EU as well: All EU countries have to meet the same legal requirements – the Cookie Law is EU-wide – but with different enforcement bodies in different countries, they could all enforce it in different ways.

Smith said:

We have to work with our EU colleagues and the Do Not Track movement in the States, but at the moment we're focusing on UK sites.

®

The essential guide to IT transformation

More from The Register

next story
GCHQ protesters stick it to British spooks ... by drinking urine
Activists told NOT to snap pics of staff at the concrete doughnut
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
What do you mean, I have to POST a PHYSICAL CHEQUE to get my gun licence?
Stop bitching about firearms fees - we need computerisation
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
Redmond resists order to hand over overseas email
Court wanted peek as related to US investigation
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.