ICO may give organisations years to comply with EU cookie law
Information Commissioner's Office promises breathing space for 'complex organisations'
By Derek du Preez
May 19, 2012 — Computerworld UK — A senior policy manager at the Information Commissioner's Office (ICO) has said that it may give organisations with complex website environments years to comply with new EU cookie laws, even though the new regulation came into effect in the UK almost twelve months ago.
The government was forced to revise the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May last year, to address a new EU directive that demands that businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users' computers.
However, the ICO stated at the time that it would give businesses a twelve month 'moratorium' period in which to get their house in order and to comply with the new regulation.
Despite the ICO's warning, and the one year breathing space, it has now said that it would be happy if some complex organisations take years to comply, if they can show that they are working towards compliance.
"We have seen a lot of attempts at good practice over the past 12 months, but what we haven't seen is people launching these on their websites," said David Evans, senior policy manager at the ICO.
"But we know that these things take time and we are sensible enough to know that this is not just a matter of switching things on. It takes time."
Evans went on to say that the ICO is engaging with organisations that are working to "sensible timelines" to achieve compliance. When Computerworld UK asked what the ICO considered a "sensible timeline", Evans conceded that this could be a number of years.
"Some of the timescales don't match the May 2011 to May 2012 deadline. We recognise that some of the people we speak to don't have web development cycles that start just because the ICO has set a deadline," said Evans.
"But, where we have seen businesses with practical examples of compliance, working to sensible timescales, we are perfectly happy to leave them to it."
Deputy Commissioner David Smith was quick to respond to this by saying that he didn't believe an organisation saying it would be compliant in "five or six years" was a sensible timeframe, but did also concede that it was "very hard to say" and that it "depended on the nature of the site".
Both Smith and Evans highlighted that some organisations have thousands of cookies and have multiple domains, which is why it would take them so long to get a solution in place. However, they also insisted that companies should be carrying out tasks now to work towards compliance.