Time running out for many UK firms on the cookie law

With under a month-and-a-half to go before a major new EU law comes into force governing website cookies, it is surprising that 95% of UK companies have yet to comply, according to a survey of 55 UK organisations by consultancy KPMG.

It is surprising for two reasons: one, any organisation that is not compliant by 26 May will risk a fine of up to £500,000 and two, UK organisations have had a year to prepare.

The regulation on the use of cookies derives from an amendment to the EU’s Privacy and Electronic Communications Directive, and although the EU directive came into force on 26 May 2011, the UK’s Information Commissioner’s Office (ICO) gave local businesses 12 months to address the new regulations and “get their house in order”.

The ICO even went as far as publishing a set of guidelines and setting a good example by making sure that the watchdog’s own website was compliant very early on.

The directive becomes enforceable UK law from 26 May 2012. From then on, websites need to obtain users’ opt-in consent first if they install cookies that pass on information about browsing activities to third parties. Non-compliant websites may be subject to a fine.

Yet the KPMG analysis showed a surprising lack of compliance with only one asking specifically for opt-in which is the key requirement of the directive. Two sites did not use any cookies at all.

This means that the majority of UK organisations need to do a substantial amount of work to their websites.

But with fewer than 50 days to go, time is running out, said Stephen Bonner, a partner in the Information Protection and Business Resilience business team at KPMG.

“While the majority of the websites we analysed made a reference to the use of cookies under either the terms and conditions or specific privacy policies, and some also state how the cookies are being used, this is not enough to ensure compliance with the directive,” he said.

According to Bonner, organisations now need to focus their efforts on establishing an inventory of their web sites and the cookies currently in use, before evaluating their purpose and establish a pragmatic plan to ensure compliance before the deadline.

The KPMG review revealed that, in addition to the one site already asking specifically for opt-in; only two sites mentioned that they are currently being updated to become compliant before the deadline.

Helpfully, KPMG has drawn up five tips for organisations to ensure full compliance:

1. Perform a review of the use of cookies on your website
2. Evaluate the information obtained from any cookies currently in use, and whether this information is paramount for your organisation
3. Start adding consent requests to cookies related to logon, registration and other similar processes
4. Create a plan to expand this activity to the remainder of your website
5. Don’t waste any more time: Make sure you know which cookies your sites uses, understand the applicability of the law and seek legal counsel if required and have a concise schedule to make your website compliant