UK government websites miss cookie law deadline

Most UK government websites will fail to comply with the "cookie law" to be enforced from 26 May 2012

Most government websites will be among the large number of UK websites failing to comply with the "cookie law" to be enforced from 26 May 2012.

UK website owners have just over a week to ensure the sites obtain users' opt-in consent first if they want to install pieces of code, known as "cookies", that store and pass on personal details and information about browsing activities to third parties, or risk fines of up to £500,000.

The regulation on the use of cookies – which requires sites to provide "clear and comprehensive" information about the use of cookies – derives from an amendment to the EU's Privacy and Electronic Communications Directive.

The directive and related UK law passed by the Department for Culture, Media and Sport, seeks to clamp down on the use of cookies to track browsing habits without users' consent.

Although the EU directive came into force on 26 May 2011, the Information Commissioner's Office (ICO) – which is tasked with regulating the UK law – gave businesses 12 months to comply with the law. In that time, the ICO has issued guidance and advice to help organisations ensure their websites become compliant.

But just a month ahead of the deadline, a KPMG study revealed that 95% of UK companies had yet to comply. And with just over a week to go, it has emerged that most of the UK government's own websites will fail to comply in time, according to the BBC.

Unlike many private sector websites, government sites do not carry advertising, but cookies are still used for things like monitoring levels of traffic.

According to the ICO, there is no "one size fits all" approach which will work for every website. The ICO believes the IT industry is best placed to develop solutions, but says those solutions will depend on how a given website already uses cookies.

Information Commissioner Christopher Graham has made it clear that the ICO will be investigating all UK websites that fail to comply after the deadline.

"We gave industry a year's grace, but when that runs out we will certainly be responding to complaints about organisations that are not following the rules," he told Computer Weekly.

The ICO's concern, he said, will be with UK companies that cannot demonstrate they have thought about compliance and have failed to start the process of giving consumers the means to give their consent for cookies to be placed on their machines.

The Cabinet Office has admitted that few public sector sites will be compliant by the deadline, but claims that the government is "working to achieve compliance at the earliest possible date".

According to the BBC, the public sector websites have been told that no action will be taken by the ICO provided they were "showing a commitment" to eventually make changes.

In April, the Information Commissioner told Computer Weekly that ICO investigators will expect businesses to know what their websites do, to be clearing up and getting rid of all unnecessary cookies, and to have a plan in place to become compliant.

According to official guidance, the ICO plans to adopt a targeted, risk-driven and proportionate approach to its enforcement activity, which takes into account the impact a cookie has on the privacy rights of the UK consumer.

The ICO has also made it clear that it has a range of enforcement powers which aim to ensure that organisations comply with the new the EU directive, which includes a civil monetary penalty (CMP).

But the ICO has made it clear that the monetary penalties of up to £500,000 can be issued only in the most serious cases where strict criteria are met. The breach must cause substantial damage or distress to individuals or have the potential to do so, and in instances where the organisation has failed to take reasonable steps to prevent a breach.

"In reality the placement of a cookie on an individual’s device will not meet the necessary criteria to be considered for a CMP. Instead we anticipate that an undertaking or an enforcement notice will be the most effective forms of regulatory action in order to improve an organisation’s compliance. Enforcement notices are legally enforceable, and organisations issued with them must take immediate action," the ICO said.

Where someone finds that a UK organisation has placed a cookie on their device without informing them, they can make a complaint to the ICO, which has set up an online complaints form on its website to help people report concerns around a website’s use of cookies.

The ICO said it will keep a record of all the complaints and use this information to decide where best to focus its attention in terms of further guidance and enforcement.

The ICO has set an example by ensuring that its own website has been fully compliant with the new rules since January.

Details of the cookies used on the ICO website – if a person opts in to receiving them – can be found in the privacy policy. Visitors to the site are invited to accept cookies on a banner which shows at the top of the page. However, the ICO has said this approach may not be suitable for every website.

With the deadline for compliance fast approaching, the ICO has urged all organisations to make sure website visitors are given the necessary information and options to control the placement of cookies.

"If a website is using cookies in a manner that impacts on the privacy of the end user, then it is only right that they should be told about what is going on," the ICO said.

The privacy watchdog has emphasised that the changes relate to the placement of cookies on all devices, not just PCs and laptops.

"While standard web browsers on mobiles and other web browsing devices don’t have the same functionality for turning off and deleting cookies, in the long-term we would expect organisations to ensure that their website is compliant, irrespective of the device it is viewed on," the ICO said.

In April, the Information Commissioner's guidance to any organisations that had not begun to prepare for the enforcement of the cookie law was to look at the advice published on the ICO website.

The first step after that, he said, would be to do an audit of all the cookies that a company's systems are placing on other people's computers.

This will enable organisations to demonstrate knowledge of what their websites do and draw up a plan for removing all unnecessary cookies and charting a path to compliance.

Further reading on the cookie law


Read more on Privacy and data protection