ICO warns: Just six months to comply with EC cookie rules
No 'wave of knee-jerk enforcement' come 26 May, tho
The Information Commissioner's Office won't begin enforcing the new cookies law for another six months yet - in the meantime, the regulator has issued a reminder to web outfits warning them to prepare to comply with the legislation.
On 25 May 2011, the implementation of the revised e-Privacy Directive passed with a whimper rather than a bang, after just two Member States issued a full notification to Brussels. The remaining 25 countries that make up the European Union failed to meet that deadline.
The UK at that point had offered Brussels officials partial notifications, despite the fact that the Commission had clearly stated that the implementation of all the measures detailed in the directive were required to be transposed into national law.
"I always meet people who are astonished that Christmas is on the 25th of December. I always encounter governments that are astonished that a law that has been voted for two or three years before has to be applied on that date … That is not just on the cookies, but a general problem, which I have normally," she said.
"This decision doesn’t come out of the blue. That was the Council of Ministers plus the European Parliament who had done this together … You decide something, you apply it. If you don’t we bring the country to the court."
However, the UK government made the decision to effectively free up web owners from the burden of complying to the directive that required sites within the EU to obtain a visitor's consent to install a cookie in their browser, by deferring enforcement of the law for one year.
And now, Blighty's data protection watchdog is having another punt at playing the friendly policeman with website owners operating in the UK.
“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like," said Information Commissioner Christopher Graham.
"We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”
However, fines of up to £500,000 could be levied against those web outfits that fail to get their cookie-tracking in order come mid-2012.
“Our mid-term report can be summed up by the schoolteacher’s favourite clichés 'could do better' and 'must try harder.' Many people running websites will still be thinking that implementing the law is an impossible task," said Graham.
"But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?"
He added that "prescriptive check lists" would not be issued by the ICO.
In May, the government confirmed it was working with Mozilla, Apple, Microsoft, Google, Yahoo, Adobe and the Internet Advertising Bureau to come up with a browser solution to obtaining users' consent.
At the time, it indicated that coming up with a browser setting that helped websites comply with the directive was - in part - the reason behind the ICO delaying enforcement for a year.
The ICO noted yesterday that: "Achieving compliance in relation to third party cookies is one of the most challenging areas," it said, thereby flagging up one of the main issues website owners have with the directive.
"The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers."
That comment seemed to suggest that it's now open season for any web outfits in the UK lobbying for tracking online behaviour without requesting consent just as the six-month countdown to compliance begins... ®
Sponsored: Becoming a Pragmatic Security Leader