Small and medium enterprises (SMEs) in the UK are up in arms about the last-minute changes made to policy on the newly-enforced cookie law.
Since 26 May, UK website owners have been required by law to ensure the sites obtain users' opt-in consent first if they want to install pieces of code, known as "cookies", that store and pass on personal details and information about browsing activities to third parties.
The regulation on the use of cookies derives from an amendment to the EU's Privacy and Electronic Communications Directive.
The directive and related UK law came into force on 26 May 2011, but the Information Commissioner's Office (ICO) gave businesses 12 months' grace to comply.
The ICO was criticised at the end of May for updating its policy just before the expiry of its year-long period of grace for companies to prepare for the new law.
But now SMEs say the last-minute changes have left them unnecessarily out of pocket by suddenly recognising implied consent as compliant, making some investments futile.
“It takes a significant amount of effort to put a system of full consent into place and it is far beyond the realms of most SMEs," said Neil Lathwood, technical director at hosting firm UKFast.
Those SMEs that have invested the time and money to set up pop-ups or banners have now been told that "implied consent" is compliant with the law, making their well-meaning efforts pointless and probably costly, he said.
In initial reaction to the change in policy, Stephen Groom, head of marketing and privacy law at law firm Osborne Clarke, said although the new, pragmatic approach is more business-friendly, it would have been good to have had earlier visibility of the dramatic change.
"It also remains to be seen whether this puts the UK out of step with Brussels and most other EU states," he said.
However, David Evans, strategic liaison group manager at the ICO, said in a blog post about the updated guidelines that website owners relying on implied consent need to be satisfied that users understand their actions will result in cookies being set.
"Without this understanding you do not have their informed consent," he said.
Evans said sites should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
"In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate," he said.
Mark Steven, head of client services at digital agency Civic, said the late turnaround has had a huge impact on digital agencies helping their clients adhere to the law.
“The last-minute change in guidance from the ICO really threw the cat among the pigeons for us. There had been so little guidance beforehand that we were working towards the only safe option of full, explicit consent whereas now we are recommending that users implement an implied consent model on their sites, unless they depend heavily on particularly invasive cookies," he said.
The poor communication from those regulating the law, said Steven, has led to different interpretations by UK companies, with some choosing to invest in complete compliance and others choosing to ignore it.
Steve Kuncewicz, head of legal at online fashion retailer BooHoo.com, said recent research from KPMG suggests that 80% of businesses are not compliant with even the new, slightly relaxed rules and are adopting a "wait and see" attitude.
“It’s going to be some time before we get a clear idea of how enforcement will pan out but, in the meantime, going above and beyond to demonstrate informed consent is still the best idea," he said.
“There are steps that you could do in advance of a total website refresh,” said Lucy Nixon, editor at Corporate Eye.
“You could audit your website to see what cookies you are using and then work out which ones matter and need consenting to and which don’t. Then you can disclose to the site users and tell them what you are doing with cookies and why," she said.
Garry Byrne, managing director of Manchester agency Reading Rooms, said many people in the industry are just saying "let’s see what happens" as they think it is an unenforceable law and they cannot afford to do anything about it.
"Not all companies can do this overnight because they don’t have the money, but they are doing as much as they can do at the moment and I think the ICO would be happy with that,” he said.
In the week following the deadline for compliance, the ICO said it had received dozens of complaints about sites using cookies without permission.
The ICO can impose monetary penalties of up to pound 500,000 for non-compliance, but the watchdog has indicated that it prefers to send out enforcement notices, as long as website owners are making progress towards compliance.