EC privacy law demands companies gain consent for cookies from today

From today, UK and other European companies face internet privacy law that bans the way most identify and track regular online customers.

From today, UK and other European companies face internet privacy law that bans the way most identify and track regular online customers.

Most companies collect information about their customers on each site visit and store that information on the customers' computers, using a small piece of code commonly called a "cookie". However, as of today (26.05.2011), European Commission (EC) rules demand customers give explicit consent before companies can do this.

Cookies can track things like the items that a customer buys or the web pages they visit, and then pass this information on to advertising companies.

The privacy law affects every company that does business online. Failure to comply could attract penalties of up to £500,000 in the UK, but the Information Commissioner's Office (ICO) will give companies up to 12 months to comply with the cookies legislation.

However, internet companies, such as Facebook and Google, and advertisers are worried the new laws could damage their business models that use targeted ads, according to the Financial Times.

Although most websites will have 10 to 20 cookies, big corporations with multiple websites may even have hundreds or thousands of cookies in use, the paper says, but most are waiting to see how events unfold and have done little preparation to comply with the EC cookie privacy law.

One of the biggest concerns of the privacy law is how companies go about getting customer consent.

The ICO has published information on what the ICO itself is doing to comply with the new privacy law and guidance on how the regulator will enforce the EC rules on cookies.

Communications Minister Ed Vaizey said in a statement: "We recognise some website users have real concerns around online privacy, but also recognise that cookies play a key role in the smooth running of the internet."

The legislation will improve the control individuals hold over their personal data and ensure they can use the internet with confidence, Ed Vaizey said.

"But it will take time for workable technical solutions to be developed, evaluated and rolled out, so we have decided that a 'phased in' approach is right. We have been working closely with the industry, the European Commission and the regulator, and consulted widely. We are confident that we are taking an approach which is sensible, pragmatic and light touch," Vaizey said.

The government believes default browser settings do not meet the requirements of the cookie privacy directive. It has formed a working group with browser manufacturers to see if settings can be enhanced to meet the requirements of the directive.

However, Vaizey said the government will not be mandating technical solutions, as the industry is much better placed to develop these.

"While technical solutions are developed, the ICO has said that it will not take enforcement action against businesses and organisations while they are working actively to address their use of cookies, or are engaged in development work on browsers and/or other solutions. In the meantime website owners are expected to abide by the spirit of law and develop best practice ahead of full implementation," Vaizey said.

Read more on IT legislation and regulation