ICO stands by unpopular UK cookie legislation with advice, warnings

Website owners have resisted compliance with cookie legislation so the ICO has issued more guidance and warnings to nudge them along.

The Information Commissioner’s Office (ICO) has published detailed advice to help website owners meet more stringent rules governing the use of cookies, yet it remains unclear whether the unpopular guidelines will lead to increased compliance.

The concrete examples contained in the ICO document, Guidance on the rules on use of cookies and similar technologies, released Dec. 13, 2011, are intended to help organisations comply with the UK cookie legislation by the ICO's deadline on May 26, 2012.

If we get complaints or have concerns, then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.

Christopher Graham

The rules in the cookie legislation are intended to protect consumers from the covert or underhanded use of cookies to spy on their behaviour, while still allowing the use of cookies where they enhance the users’ overall experience. To achieve this fine balance, the new rules require website owners to explain to their visitors how they use cookies, and to give them the choice of whether to accept cookies.

The cookie legislation is part of a packet of measures contained in the May 2011 amendment to the UK’s Privacy and Electronic Communications Regulations (PECR), which also extended the powers of the ICO and introduced compulsory breach disclosure for telecommunication companies and Internet service providers.  At that time, the ICO allowed organisations a one-year grace period to make the necessary changes. But in a recent blog posting that he described as a mid-term report, Information Commissioner Christopher Graham indicated he was disappointed in how few websites had complied.

“The report can be summed up by the schoolteacher’s favourite clichés: ‘could do better’ and ‘must try harder’. A report that listed the URLs of sites that were perfectly compliant from day one would be very short indeed," Graham wrote. "This is not a surprise to anyone who recognises that redeveloping and redesigning a website is no easy task.”

To help organisations make the changes, the ICO updated its guidance to UK website owners and provided a series of examples to show how website owners might seek cookie usage consent from visitors in a range of different circumstances.

Despite widespread criticism of the rules, acknowledged by Graham in his report, he made clear the law will be properly enforced and will not be watered down. “I want to make it clear what will happen after May 26 2012, the end of the lead-in period,” he wrote. “There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there. If you are working towards compliance and following my advice then keep going.”

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

However, Graham added that companies choosing to ignore the rules will be targeted.  “If we get complaints or have concerns, then we will be checking your site and we will take the necessary steps to ensure you do work towards compliance,” he wrote.

Claire McCracken, a technology law specialist at London-based law firm Pinsent Masons, welcomed the extra guidance. She said many companies were uncertain about how to implement the new rules and the ICO had done a poor job of explaining what was required.

“By suggesting concrete approaches businesses can take to comply, they have gone a long way toward laying this uncertainty to rest,” McCracken said. “It does not necessarily mean this is a great law, or one that was needed, but at least it is one that businesses have a better chance of complying with today than they did last week.”

Read more on Regulatory compliance and standard requirements

Data Center
Data Management