UK cookie law compliance mixed, study finds

Three months after the enforcement of the cookie law, only 12% of UK websites have implemented prominent privacy notices with robust cookie controls, a study has revealed.

The regulation on the use of cookies derives from an amendment to the EU's Privacy and Electronic Communications Directive.

The directive and related UK law came into force on 26 May 2011, but the Information Commissioner's Office (ICO) gave businesses 12 months' grace to comply.

However, a recent analysis of more than 200 top UK websites shows that just over half at least have minimal privacy notices with limited cookie controls.

The study by data privacy management firm TRUSTe revealed that 37% of websites in the sample do not appear to have taken any steps to comply with the law.

While nearly half of these sites have under 25 third-party cookies present on their site, 35% have a moderate level of third-party cookies (26-50) and 16% have a high level of more than 50 third-party cookies.

Overall, 56% of the sites examined in this study had moderate to high levels of third-party trackers, but within this group only 17% had implemented robust compliance solutions combining prominent privacy notices and strong cookie controls.

Some of the best examples of robust compliance used creative approaches that made the implementations especially user-friendly,said  TRUSTe.

Toyota, for example, made it very simple for users to control cookie settings on their site, and provided individual descriptions of cookie purposes.

Similarly, Barclays’ website displayed a clear privacy notice directing users to a page explaining the purpose of each cookie while providing easily accessible cookie preference controls.

The study found that UK companies have also worked hard to ensure that the messaging is applicable to their users and consistent with their brand as shown on the Aldo Shoes website, where customers who click on “cookie preferences” are asked if they are “cool with cookies?”

“Based on our analysis it is clear that many companies have started to take the EU cookie directive seriously and devoted time and resources to implement a compliance solution that helps their users control the tracking activity on their site,” said Chris Babel, CEO at TRUSTe.

It is clear that some companies have yet to put a compliance solution in place, he added.

In the week following the deadline for compliance, the ICO said it had received dozens of complaints about sites using cookies without permission.

The ICO can impose monetary penalties of up to £500,000 for non-compliance, but the watchdog has indicated that it prefers to send out enforcement notices, as long as website owners are making progress towards compliance.