Cookie law: many UK organisations still unprepared, says law firm

With UK "cookie law" to be enforced at the weekend, many UK organisations are unprepared, as the ICO appears to change tack..

With UK "cookie law" to be enforced at the weekend, many UK organisations are unprepared as the Information Commissioner's Office (ICO) appears to change tack, says international law firm Field Fisher Waterhouse (FFW).

Last week, it was revealed that most government websites will be among the large number of UK websites that will not comply with the law when the deadline for compliance is reached.

From 26 May, UK website owners are required by law to ensure the sites obtain users' opt-in consent first if they want to install pieces of code, known as "cookies", that store and pass on personal details and information about browsing activities to third parties.

The regulation on the use of cookies – which requires sites to provide "clear and comprehensive" information about the use of cookies – derives from an amendment to the EU's Privacy and Electronic Communications Directive.

The directive and related UK law came into force on 26 May 2011, but the Information Commissioner's Office (ICO) gave businesses 12 months to comply with the law.

However, despite the grace period, many organisations are still confused and unprepared for the coming changes, according to Eduardo Ustaran, privacy and information law head at FFW.

"There is a sense of panic in the air as the ICO's self-imposed deadline to begin enforcing the cookie consent requirement approaches and as a result we have seen a compliance rush in the past few weeks.  Many website operators are shocked to see the amount and nature of the cookies served via their sites.

"However this is not an issue which can be quickly improvised.  This is a critical business decision in which organisations need to balance compliance certainty with the potential commercial impact of tweaking their site," said Ustaran. 

While it is unlikely the ICO will fine companies for non-compliance, he said, the ICO will ensure that infringing sites are forced to get their house in order within a limited period of time by serving them with enforcement notices.

Despite the ICO's assurances that enforcement of the cookie law would be led by complaints, it has fired off some "very nasty" letters to 50 companies that operate high-traffic websites, in an apparent change in approach just days before the deadline, said Ustaran.

The ICO has declined to name the companies that have been given 28 days to demonstrate what actions they have taken towards compliance, but are thought to include top shopping, mobile and banking sites.

According to Ustaran, there are four essential steps that organisations should take to ensure compliance. 

First, websites should be audited to identify which cookies it serves.  Next an assessment needs to be made of the intrusiveness of the cookies served by the website to inform how prominent cookie consent notices should be.  Third, a consent strategy for the website needs to be decided. 

"Finally, the consent strategy needs to be implemented, this will require technical and operational changes to your website," he said.

In the past year the ICO has published advice on its website on how to comply with the new law. Revised guidelines will be published at the end of the week, just ahead of the deadline.

 UK websites still riddled with undisclosed cookies, study finds

What businesses need to do before the cookie law deadline

UK companies not yet compliant with cookie law

How to comply with the EU cookie law

ICO publishes cookie law advice for UK website owners


Read more on Privacy and data protection