The number of UK websites complying with the newly enforced cookie law improved in the final month of the grace period, but 80% are still not compliant, a study shows.
Since 26 May, UK website owners have been required by law to ensure the sites obtain users' opt-in consent first if they want to install pieces of code, known as "cookies", that store and pass on personal details and information about browsing activities to third parties.
The regulation on the use of cookies derives from an amendment to the EU's Privacy and Electronic Communications Directive.
The directive and related UK law came into force on 26 May 2011, but the Information Commissioner's Office (ICO) gave businesses 12 months' grace to comply.
A study by consultancy KPMG a month ahead of the deadline for compliance revealed that out of a sample of 55 representative UK websites, only 5% were compliant. Just over a week before the deadline it also emerged that most of the UK government's websites would fail to comply in time.
A repeat of the study on 28 and 29 May revealed that while half of the sample had updated their privacy policy, only 20% of major UK organisations across UK private and public sectors are compliant.
More than three in four UK organisations have failed to change their websites in line with the EU Privacy and Electronic Communications DirectiveAlthough this is an improvement of 15%, it still means more than three in four UK organisations have failed to change their websites in line with the EU privacy directive.
ICO receives cookie complaints
In the week following the deadline for compliance, the ICO said it had received dozens of complaints about sites using cookies without permission.
The ICO can impose monetary penalties of up to £500,000 for non-compliance, but the watchdog has indicated that it prefers to send out enforcement notices, as long as website owners are making progress towards compliance.
The latest KPMG study also revealed that most of the 20% of sites that are compliant are relying on "implied consent" rather than giving users an explicit choice to opt in or out.
KPMG found that since its first study in March, 40% of websites have now updated or added new policies providing additional detail on cookies, including links to relevant information, which is not enough for full compliance.
Another 40% of websites have not introduced any changes since March at all. In addition, no organisation had implemented measures for their mobile websites. Compliance in most cases refers to the main web presence, whereas secondary sites are typically non-compliant.
Cookie law progress is slow
There is clearly some progress, in that the cookie law has had an effect on a number of website providers, said Stephen Bonner, a partner in the information protection and business resilience business team at KPMG.
"However, what we have also seen is a great deal of confusion around what is actually required to comply with the law. Therefore, many organisations take a wait-and-see approach at this stage. Some also seem to assume that the measures they have taken so far are sufficient – but they are not," he said.
Bonner said that while there is still much confusion, there is also a call for organisations to adopt a more basic approach towards these requirements; informing customers upfront when you are collecting and analysing information about them builds trust and confidence in your organisation as a whole.
"Organisations should therefore analyse their situation and make sure their full web as well as mobile presence gets in line with the law. The time to act is now as there have been many complaints to regulators from customers unhappy about their rights not being respected," he said.
Many organisations are shocked to see the number and nature of the cookies served via their sites, according to Eduardo Ustaran, privacy and information law head at law firm Field Fisher Waterhouse.
But he said it is not an issue that can be quickly improvised. "This is a critical business decision in which organisations need to balance compliance certainty with the potential commercial impact of tweaking their site," said Ustaran.
There are four essential steps that organisations should take to ensure compliance, he said. First, websites should be audited to identify which cookies it serves. Next an assessment needs to be made of the intrusiveness of the cookies served by the website to inform how prominent cookie consent notices should be. Third, a consent strategy for the website needs to be decided. Finally, the consent strategy needs to be implemented, which will require technical and operational changes to the website.
