Website operators have an extra year’s ‘grace period’ to change the way they use cookies to comply with new laws, the Information Commissioner’s Office (ICO) has said.
From today, UK laws based on the EU’s Privacy and Electronic Communications Directive will force websites to obtain users’ consent in order to store cookies. Cookies are small text files that record user activity on websites.
Cookies can be used for a variety of purposes, such as the analysis of consumer browsing habits or remembering payment details when buying products online.
Privacy groups, which pushed for greater regulation on cookies, want to see users able to give consent to every cookie presented to them.
Technically all firms must comply with the law but the UK has said that it needs more time to find a workable solution.
The ICO said it was allowing the exemption period because there was no adequate technical solution within browser settings to obtain user consent to cookies.
However, Microsoft’s IE9 browser already offers a setting to protect users from services which collect and harvest browser data and both Mozilla’s Firefox browser and Google’s Chrome are working at integrating so-called ‘Do Not Track’ technologies into their offerings.
“Although there isn’t a formal transitional period in the Regulations, the government has said they don’t expect the ICO to enforce this new rule straight away,” Christopher Graham, the Information Commissioner, said in a statement. “So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
‘Guides rather than punishment’
The ICO said it would respond to complaints about cookies during the exemption period by advising website owners how to comply with the new Privacy and Electronic Communications Regulations, an ICO guide on how it will enforce the regulations said.
“[The Information Commissioner] will provide advice to the organisation concerned on the requirements of the law and how they might comply,” the ICO enforcement guide (7-page / 132KB PDF) said.
“Where he considers it appropriate, and particularly as May 2012 approaches, he will also ask organisations to explain to him the steps they are taking to ensure that they will in fact be in a position to comply by May 2012,” the guide said.
The ICO recently published guidance on how organisations can comply with the new regulations. It suggested a variety of options websites could use to gain user consent, including prompting users with pop-up questions about their consent to cookies or writing cookie consent into terms and conditions users have to agree to when registering with a site.
Website features, such as videos, that remember how users personalise their interaction, could also determine user consent, the ICO said.
‘Light touch regulation’
The government said that it was looking for a “business-friendly” solution and believed in light-touch regulation.
“We recognise that some website users have real concerns around online privacy but also recognise that cookies play a key role in the smooth running of the internet,” said communications minister Ed Vaizey.
“But it will take some time for workable technical solutions to be developed, evaluated and rolled out so we have decided that a phased in approach is right,” he added.
Self-regulation be a better solution?
Rupert Staines, managing director of Ad Network RadiumOne UK argued that self-regulation would be most beneficial to consumers and the industry, and draws on the US example as a success story.
“The EU’s directive has naturally been met with criticism from many corners, especially when you look at the example set by the US,” said Staines. “Its self-regulation framework has not only avoided such strict compliance, but will also bring a great competitive edge over its European counterparts. Of the millions of US consumers using the internet every day, only a tiny proportion has chosen to opt out of receiving cookies on their computer, implying that the EU overestimates consumer concerns regarding online privacy.
“A similar self-regulation framework, such as ‘Your Online Choices’ involving the IAB’s “forward i” icon, offers a comprehensive and compliant system that will be audited by independent experts in the industry. RadiumOne is signing up to the EU Framework for behavioural advertising to provide internet users with greater transparency and control right across all 27 EU markets.
This self-regulatory solution has the full support of the UK Government as it places consumers at the heart of the activity, enabling them to be fully informed. Technology is moving so fast that it should be handled by those that understand the digital environment and the extent of privacy issues affecting consumers,” Staines concluded.
Read the ICO Enforcement guide here