GLD Vacancies

Public sector and businesses to get 12 months to comply with website cookie rules

Public sector organisations and businesses that run websites will have up to 12 months to “get their house in order” over the use of cookies, under new guidance on enforcement published by the Information Commissioner’s Office.

The 12-month period of grace comes after the government said it did not expect the ICO to enforce the new rule immediately. But the Information Commissioner, Christopher Graham, warned that the lead-in period “does not let everyone off the hook”, adding that those who chose to do nothing during this time would have their lack of action taken into account when the regulator brings formal enforcement of the rules.

The guidance has been issued a day before the revised Privacy and Electronic Communications Regulations (PECR) come into force in the UK (26 May). The changes to the regulations mean that website owners need to get consent from visitors if they are to store cookies on the users’ computers.

Cookies are used for a range of reasons – for example to help analyse consumer browsing habits or to remember a user’s payment details when buying products or services online.

The ICO’s guidance said the Commissioner would continue to follow the approach set out in his Data Protection Regulatory Action Policy. “This means adopting a targeted, risk-driven and proportionate approach to the use of his powers,” it explained. “It also means being selective with the key driver for action being concerns about significant actual or potential detriment caused to individuals by a failure to comply with the requirements of the PECR.”

From May 2012, where there has been a breach of the revised cookies rules, the Commissioner will be concerned with the impact of the breach on the privacy and other rights of website users and not just with whether there had been a technical breach of the 2011 Regulations.

Where the Commissioner receives complaints about cookies before May 2012, he will initially provide advice to the organisation concerned on the requirements of the law and how they might comply. Where appropriate, he may also ask those organisations to explain the steps they are taking to ensure they will be in a position to comply by May 2012.

The guidance also provides:

  • Information for consumers on what the new rules will mean for them and how to complain
  • Information on what the ICO itself is doing to comply with the new rules in respect of its own website.

Christopher Graham said: “I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups - and I am not saying that businesses have to go down that road.

“Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account.”

Graham said browser settings giving individuals more control over cookies would be an important contributor to a solution, but warned that the necessary changes to the technology were not there yet.

The Information Commissioner acknowledged that the watchdog’s own site would looked at as a model of how to comply. “We’ve decided to place a header bar on our website giving users information about the cookies we use and choices about how to manage them,” he said. “I am not saying that other websites should necessarily do the same. Every website is different and prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers.”

The ICO’s guidance on enforcement comes two weeks after separate guidance on how businesses and other organisations could comply with the new rules. Graham said this would be supplemented by real-life examples of solutions as they come in.

The enforcement guidance also sets out how the ICO will use other new powers granted to the watchdog as part of the Regulations. These include a power to impose financial penalties on telecoms and internet companies who fail to notify the regulator about their data breaches, as well as stronger powers to investigate the businesses behind nuisance marketing calls and spam texts.

A copy of the enforcement guidance can be downloaded here.