‘Must try harder’ on cookies compliance, says ICO

News release: 13 December 2011

Website owners ‘must try harder’ on complying with the new cookies law the Information Commissioner’s Office (ICO) said today, as it published its half term report on enforcing the new rules.

The ICO has also today published updated guidance for UK website owners, setting out specific examples of what compliance looks like.

Information Commissioner, Christopher Graham, said:

“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

The UK government has revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.

One common technique of storing information is widely known as a cookie. This is a small file that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of businesses and organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering a user’s payment details when buying products online.

As the independent arbiter of information rights, the Information Commissioner has been charged with regulating the new rules for websites aimed at UK consumers.

Mr Graham continued:

“Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder.” Many people running websites will still be thinking that implementing the law is an impossible task. But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?

“Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations. Those actually running websites are far better placed to know what will work for them and their customers.”

Key points set out in the amended cookies advice include:

• More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
• The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
• However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
• Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
• The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.
   

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.

4. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press