More than half of UK organisations are still not compliant with the EU "cookie directive", a year after the legislation was introduced, according to consultants KPMG.
It analysed 55 major UK organisations across the private and public sectors, and found that 51 per cent had failed to comply with the new rules, meaning that they could be breaching user privacy and, therefore, liable to be fined up to £500,000.
Further reading
Analysis: EU cookie law puts analytics under scrutiny ICO sets up online survey as cookie complaints rise Retailer slams ICO over 'embarrassing banality' of revised cookie law guidance EU cookie law is a 'restraint to trade online', says online retailer
The law, part of the EU Directive on Privacy and Electronic Communications, means that websites need to obtain users' consent before installing cookies on their PCs, which could potentially be used to glean information about their browsing activities.
KPMG found that many organisations that had been compliant 12 months ago were also failing to comply with the legislation. Only two per cent of websites were found to be asking for explicit consent, down from four per cent in September 2012.
Of the remaining websites analysed, 43 per cent used "implicit" compliance to obtain consent from users, meaning that a pop-up box appears on the website explaining the organisation's cookie policy.
While this is enough to be compliant in the UK, it does not satisfy the requirements of the EU Directive, which requires explicit consent before cookies can be installed. Only four per cent of organisations have become fully compliant by not setting cookies on their website at all.
The 51 per cent figure is an improvement from April 2012 when 95 per cent of organisations surveyed had not complied with the upcoming law, and June 2012 when only 10 of the 55 organisations had implemented measures regarded as compliant with the law.
However, Stephen Bonner, a partner at KPMG's information protection and business resilience team, believes that organisations' reactions to the cookie law may affect future legislation.
"It begs questions around how organisations will react to future legislation. Organisations seem to have been conditioned into thinking they can 'get away' with the barest minimum activity when it comes to cyber space, and many will be wondering whether they really have to respond to future directives as they emerge," he said.
Bonner went on to question whether the EU Cookie Law has achieved what it was supposed to achieve from the outset.
"The fact remains that cookies monitor users' website activity which, if used without prior knowledge for marketing and other purposes, is a breach of privacy.
"By adopting this implicit approach, organisations are assuming individuals have previously consented to receiving cookies and this is hardly the spirit in which the legislation was introduced," he said.
He concluded: "We would therefore question whether the 'Cookie Law' has achieved what it set out to achieve and whether the threat of fines is enough to change organisations' behaviour."
