Last working day before cookie law enforcement

The deadline for compliance with UK cookie law expires this weekend, but there is no need to panic, says data protection lawyer Stewart Room

The cookie law, that requires consent to store information on websites users, will be enforced from this weekend, when the deadline for compliance with the law, introduced a year ago, expires.

Indications are that most private and most government websites are unlikely to be ready, but there is no need to panic, according to Stewart Room, partner at law firm Field Fisher Waterhouse.

In April, information commissioner Christopher Graham said: "We gave industry a year's grace, but when that runs out we will certainly be responding to complaints about organisations that are not following the rules."

However, in recent days the Information Commissioner's Office has taken a far more proactive approach, sending letters to 50 high-traffic websites, demanding they demonstrate what action they are taking to comply with the law within 28 days.

But Room believes there is no need to panic. "Yes, my personal view is that it’s an unnecessary change, but, no, it’s not going to be the end of the internet and it's not going to ruin the web experience," he wrote in a blog post.

Room points out that companies have been dealing with the need for legal consent for years without too many difficulties, and that consent mechanisms can be designed in a user-friendly way.

"With a bit of thought you can deliver a compliance solution that disturbs no-one and ruins nothing," he said.

According to Room, the best way to mitigate the effects of the cookie law is to engage with it and move on. "There are much more serious issues to deal with in the world of privacy and data protection," he said.

The cookie law – which requires sites to provide clear and comprehensive information about the use of cookies and derives from an amendment to the EU's Privacy and Electronic Communications Directive – Room believes is a good example of the awkward results that are often produced when the law tries to catch up with technology.

This is further complicated by the fact that EU law has to be technology-neutral in an attempt to avoid laws from becoming outdated quickly or favouring any particular supplier, he told Computer Weekly.

"What you end up with is a law that affects things unnecessarily, such as the benign use of cookies rather than targeting just those that pose a risk to privacy," he said.

According to Room, it would be far more efficient to limit the scope of laws to make them easier to keep up to date and target only specific concerns.

Otherwise, he said, ridiculous situations arise such as the 2003 Bodil Linqvist case in which a woman in Sweden, who set up a website for local church parishioners in Aseda, was convicted and fined for breaching data protection laws.

Linqvist appealed, but in a landmark decision, the European Court of Justice ruled that, by including information about fellow church volunteers on her website, she was in breach of the EU Data Protection Directive.

"The danger is that the cookie law could be taking us in this direction, with a UK blogger becoming the next Bodil Linqvist if the ICO succumbs to the temptation of going after smaller, weaker targets," he said.

Room believes most data protection regulations should be scrapped, as they are a drag on the economy, but achieve nothing and offer very little real protection to the individual citizen.

"We need to get rid of the data protection law baggage so that the real issues can be targeted properly," he said. "It would be possible to adjust the public purse to achieve the desired effect, but the EC wants to regulate everything."

For answers to the most common questions about the cookie law and what organisations can do to avoid potential enforcement action, Phil Lee, another lawyer at Field Fisher Waterhouse, has written the following article: Cookie consent: Preparing for the compliance crunch



Read more on Privacy and data protection