ICO may give organisations years to comply with EU cookie law

Information Commissioner's Office promises breathing space for 'complex organisations'

A senior policy manager at the Information Commissioner's Office (ICO) has said that it may give organisations with complex website environments years to comply with new EU cookie laws, even though the new regulation came into effect in the UK almost twelve months ago.

The government was forced to revise the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May last year, to address a new EU directive that demands that businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users' computers.

However, the ICO stated at the time that it would give businesses a twelve month 'moratorium' period in which to get their house in order and to comply with the new regulation.

Despite the ICO's warning, and the one year breathing space, it has now said that it would be happy if some complex organisations take years to comply, if they can show that they are working towards compliance.

"We have seen a lot of attempts at good practice over the past 12 months, but what we haven't seen is people launching these on their websites," said David Evans, senior policy manager at the ICO.

"But we know that these things take time and we are sensible enough to know that this is not just a matter of switching things on. It takes time."

Evans went on to say that the ICO is engaging with organisations that are working to "sensible timelines" to achieve compliance. When Computerworld UK asked what the ICO considered a "sensible timeline", Evans conceded that this could be a number of years.

"Some of the timescales don't match the May 2011 to May 2012 deadline. We recognise that some of the people we speak to don't have web development cycles that start just because the ICO has set a deadline," said Evans.

"But, where we have seen businesses with practical examples of compliance, working to sensible timescales, we are perfectly happy to leave them to it."

Deputy Commissioner David Smith was quick to respond to this by saying that he didn't believe an organisation saying it would be compliant in "five or six years" was a sensible timeframe, but did also concede that it was "very hard to say" and that it "depended on the nature of the site".

Both Smith and Evans highlighted that some organisations have thousands of cookies and have multiple domains, which is why it would take them so long to get a solution in place. However, they also insisted that companies should be carrying out tasks now to work towards compliance.

"We know that this is a challenge for businesses and could well be years, but there are things we expect people to do, such as carry out a full audit of what cookies they use. Do a bit of housekeeping," said Evans.

Deputy Commissioner Smith was also keen to highlight that although that the moratorium period has come to an end, this did not mean that the ICO was going to launch a "torrent of enforcement action".

"What it really means is those complaints about websites that don't get consent for cookies will now go into the normal processes we would take in assessing whether to use our enforcement powers," explained Smith.

He said that this depended on a number of factors. For example, the ICO will pay more attention to websites using 'intrusive cookies', such as those that are used for tracking to generate revenues for advertising based on a users' online behaviour. Whereas, cookies used for simple analytics are likely to get less attention.

The ICO is also unlikely to use its ability to fine companies up to APS500,000 as it believes a breach of the cookie law is unlikely to meet the requirements it would need to issue such a fine.

"To issue a fine there has to be a serious breach. It has to be one that is likely to cause substantial damage or distress to individuals," said Smith.

The ICO is more likely to use its notice powers to encourage companies to comply, said Smith. Effectively, it will write to companies that aren't taking steps to comply with the new regulation, providing timeframes to do so. If these companies fail to achieve compliance within the given timeframe, this then becomes a criminal offence and the ICO can prosecute.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies