Senior MPs flout EU cookie law

Two years after the EU cookie regulation and UK law came into force, not all UK websites are compliant, including the sites of 13 senior MPs

Two years after the EU cookie regulation and related UK law came into force, not all UK websites are compliant, including the sites of 13 senior MPs.

Since 26 May 2012, UK website owners have been required by law to ensure websites obtain users' opt-in consent first if they want to install pieces of code, known as a "cookie", used to recognise and track users.

The regulation on the use of cookies derives from an amendment to the EU's Privacy and Electronic Communications Directive.

The directive and related UK law came into force on 26 May 2011, but the Information Commissioner's Office (ICO) gave businesses 12 months' grace to comply.

More than two years later, it emerged that justice secretary Chris Grayling is among 13 senior MPs whose websites do not comply with the cookie law, according to the BBC.

The ICO said it would remind the MPs about their obligation to comply with EU privacy laws, but would not confirm or deny the websites were breaking the law, the report said.

Many UK websites operators have added pop-up messages or banners to their sites giving visitors details of how cookies are used on the site and how visitors can opt out.

These basic measures have not yet been implemented on the constituency websites of cabinet members Nick Clegg (pictured), Chris Grayling, Danny Alexander, Ed Davey and Theresa Villiers, and cabinet attendee Andrew Lansley.

Cookie notifications are also missing on the constituency websites of senior Labour MPs Harriet Harman, Ed Balls, Sadiq Khan, Mary Creagh, Vernon Coaker, Jon Cruddas and Karen Buck.

£500,000 fine

A spokesman for deputy prime minister Nick Clegg said it was a technical oversight that one of the MP's two websites did not seek users' consent to save cookies to their machines.

A spokeman for justice secretary Chris Grayling said that, while some work was being done on the back end of the website, the cookie policy plugin Cookie Control was accidentally disabled for a brief period of time, but this was subsequently corrected.

Ed Davey and Karen Buck said they had taken new steps to ensure their website was compliant with the law. A spokesman for Harriet Harman said her site had been compliant even without the cookie pop-up, which has since been re-introduced after a technical issue caused it to fail to display.

A spokesman for Mary Creagh said her website was being upgraded and would soon comply with the cookie law.

The ICO can impose monetary penalties of up to £500,000 for non-compliance, but the watchdog has indicated in the past that it prefers to send out enforcement notices, as long as website owners are making progress towards compliance.

Critics of the cookie regulations say that, while the goals are noble, the current form of the law is unworkable and unenforceable.

Four steps to cookie compliance

  1. Websites should be audited to identify which cookies they serve.
  2. An assessment needs to be made of the intrusiveness of the cookies served to inform how prominent cookie consent notices should be.
  3. A consent strategy needs to be decided.
  4. The consent strategy needs to be implemented, which will require technical and operational changes.

Eduardo Ustaran, privacy and information law head, Field Fisher Waterhouse

Read more on Privacy and data protection

Data Center
Data Management