If we get complaints or have concerns, then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.
The cookie legislation is part of a packet of measures contained in the May 2011 amendment to the UK’s Privacy and Electronic Communications Regulations (PECR), which also extended the powers of the ICO and introduced compulsory breach disclosure for telecommunication companies and Internet service providers. At that time, the ICO allowed organisations a one-year grace period to make the necessary changes. But in a recent blog posting that he described as a mid-term report, Information Commissioner Christopher Graham indicated he was disappointed in how few websites had complied.
“The report can be summed up by the schoolteacher’s favourite clichés: ‘could do better’ and ‘must try harder’. A report that listed the URLs of sites that were perfectly compliant from day one would be very short indeed," Graham wrote. "This is not a surprise to anyone who recognises that redeveloping and redesigning a website is no easy task.”
To help organisations make the changes, the ICO updated its guidance to UK website owners and provided a series of examples to show how website owners might seek cookie usage consent from visitors in a range of different circumstances.
Despite widespread criticism of the rules, acknowledged by Graham in his report, he made clear the law will be properly enforced and will not be watered down. “I want to make it clear what will happen after May 26 2012, the end of the lead-in period,” he wrote. “There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there. If you are working towards compliance and following my advice then keep going.”
Guide to EU cookie compliance
This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.
However, Graham added that companies choosing to ignore the rules will be targeted. “If we get complaints or have concerns, then we will be checking your site and we will take the necessary steps to ensure you do work towards compliance,” he wrote.
Claire McCracken, a technology law specialist at London-based law firm Pinsent Masons, welcomed the extra guidance. She said many companies were uncertain about how to implement the new rules and the ICO had done a poor job of explaining what was required.
“By suggesting concrete approaches businesses can take to comply, they have gone a long way toward laying this uncertainty to rest,” McCracken said. “It does not necessarily mean this is a great law, or one that was needed, but at least it is one that businesses have a better chance of complying with today than they did last week.”