Must try harder on cookies compliance says ICO
Computer/Internet/Software Articles
Add an article Back to Articles
13
December 2011
Website owners
‘must try harder’ on complying with the new cookies law the Information
Commissioner’s Office (ICO) said today, as it published its half term
report on enforcing the new rules.
The ICO has also
today published updated guidance for UK websites owners, setting out
specific examples of what compliance looks like.
Information
Commissioner, Christopher Graham, said:
“The guidance
we’ve issued today builds on the advice we’ve already set out, and now
includes specific practical examples of what compliance might look
like. We’re half way through the lead-in to formal enforcement of the
rules. But, come 26 May next year, when our 12 month grace period ends,
there will not be a wave of knee-jerk formal enforcement actions taken
against those who are not yet compliant but are trying to get there.”
The UK government
has revised the Privacy and Electronic Communications Regulations,
which came into force in the UK on 26 May, to address new EU
requirements. The Regulations make clear that UK businesses and
organisations running websites in the UK need to get consent from
visitors to their websites in order to store cookies on users’
computers.
One common
technique of storing information is widely known as a cookie. This is a
small file that a website puts on a user’s computer so that it can
remember something, for example the user’s preferences, at a later
time. The majority of businesses and organisations in the UK currently
use cookies for a wide variety of reasons – from analysing consumer
browsing habits to remembering a user’s payment details when buying
products online.
As the independent
arbiter of information rights, the Information Commissioner has been
charged with regulating the new rules for websites aimed at UK
consumers.
Mr Graham
continued:
“Our mid-term
report can be summed up by the schoolteacher’s favourite clichés “could
do better” and “must try harder.” Many people running websites will
still be thinking that implementing the law is an impossible task. But
they now need to get to work. Over the last few months we’ve been
speaking to and working with businesses and organisations that are
getting on with it and setting the standard. My message to others is –
if they can do it, why can’t you?
“Some people seem
to want us to issue prescriptive check lists detailing exactly what
they need to do to comply. But this would only get in the way and would
be too restrictive for many businesses and organisations. Those
actually running websites are far better placed to know what will work
for them and their customers.”
Key points set out
in the amended cookies advice include:
- More detail on
what is meant by consent. The advice says ‘consent must involve some
form of communication where an individual knowingly indicates their
acceptance.’
- The guidance
explains that cookies used for online shopping baskets and ones that
help keep user data safe are likely to be exempt from complying with
the rules.
- However,
cookies used for most other purposes including analytical, first and
third party advertising, and ones that recognise when a user has
returned to a website, will need to comply with the new rules.
- Achieving
compliance in relation to third party cookies is one of the most
challenging areas. The ICO is working with other European data
protection authorities and the industry to assist in addressing the
complexities and finding the right answers.
- The ICO will
focus its regulatory efforts on the most intrusive cookies or where
there is a clear privacy impact on individuals.
A mid-term report
can be viewed on the ICO website here:
http://www.ico.gov.uk/news/blog/2011/half-term-report-on-cookies-compliance.aspx
The guidance can be viewed on the
ICO website here:
http://www.ico.gov.uk/news/blog/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx
If you need more
information, please contact the ICO press office on 0303 123 9070 or
visit the website at: www.ico.gov.uk.
Notes
- The Information Commissioner’s Office upholds information
rights in the public interest, promoting openness by public bodies and
data privacy for individuals.
- The ICO has specific responsibilities set
out in the Data Protection Act 1998, the Freedom of Information Act
2000, Environmental Information Regulations 2004 and Privacy and
Electronic Communications Regulations 2003.
- The ICO is on Twitter, Facebook
and LinkedIn,
- Anyone who processes personal information
must comply with eight principles of the Data Protection Act, which
make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate
protection
About the Author
The Information Commissioner’s Office is the UK’s
independent authority set up to uphold information rights in the public
interest, promoting openness by public bodies and data privacy for
individuals. We do this by promoting good practice, ruling on
complaints, providing information to individuals and organisations and
taking appropriate action when the law is broken.
The ICO enforces and oversees the following
legislation:
- Data Protection Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications
Regulations
2003
- Environmental Information Regulations
2004
