Change in website cookie law unsettles businesses

UK businesses have voiced concern over new EU laws that affect the ways websites store personal user data, following last minute legislation alterations.

The Privacy and Electronic Communication Regulations Act 2011, which came into effect on 26 May 2012, dictates that users must consent to the use of files known as cookies being stored on their computer. Cookies are widely used to analyse a user's internet behaviour allowing for more personalised website usage such as targeted advertising campaigns.

The rules have been designed to protect the privacy of internet users prompted in part by concerns about online tracking of individuals.

The Information Commissioner's Office (ICO), which enforces the law in the UK, has however been criticised for legislation amendments made in the eleventh hour which allow websites to seek 'implied consent' from users - meaning they (users) do not have to make an explicit choice.

It had initially said that users must specifically choose to opt-in to the cookie agreement. The changes, however, now mean that users who continue to use a site will automatically agree to have cookies stored on their device and their personal information gathered.

Stephen Pattison, director of the International Chamber of Commerce (ICC) warned last year that the 'vagueness' of the directive would create 'real ambiguity' for website owners.

Neil Lathwood, technical director of UKFast said the last minute change had impacted on smaller companies.

"It takes a significant amount of effort to put a system of full consent into place and it is far beyond the realms of most SMEs," he said.

"Those who have invested the time and money to set up pop-ups or banners have now been told that 'implied consent' is compliant with the law, making their well-meaning efforts pointless and probably costly."

Guidance from the ICO now states that those setting cookies must:

  • Tell users about the use of cookies
  • Explain what cookies do
  • Obtain consent, or implied consent, to store a cookie on a user's device.

The ICO's stance on implied consent as stated in their guidance notes reads: "For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred."

"The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set."

The ICO can fine businesses up to £500,000 for failing to comply, although the Financial Times recently reported that three in four businesses in the UK have yet to implement the new regulations.

The ICO said it will continue to help businesses comply with the law providing site owners were making genuine progress towards compliance.