Regulator gives UK websites one year to comply with cookie rules

A revised version of the Privacy and Electronic Communications Regulations comes into effect tomorrow, bringing the UK’s rules into line with a European directive.

The new rules on cookies come in response to concerns that internet users have little control over how their activity is tracked online. Cookies are small text files that websites place on people’s computers when they visit a site in order to identify their machine. They allow sites to do things like remember a user’s preferences, save the contents of their shopping basket, track their browsing habits or deliver targeted advertising.

Publishers and advertisers say that stricter rules on cookies will damage people’s online experience and make it harder to deliver useful content.

Information commissioner Christopher Graham (pictured) said today that he wanted to balance privacy concerns with user experience.

Graham said: “I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop-ups – and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account.”

Culture minister Ed Vaizey wrote an open letter yesterday to website owners saying that the rules did not specify that ‘prior’ consent was required for cookies to be used, and that it would be acceptable to get consent during or after processing.

The ICO’s own site now carries a header that appears to users whose browser settings allow cookies, informing them that the site uses cookies. It says that one cookie which is “essential for parts of the site to work” has already been placed, and that some parts of the site will not work unless cookies are accepted. There is a tick box for users to accept cookies if they choose to, and a link for further information.

“As the regulator, I’m conscious that my own website will be looked at for a model of how to comply,” said Graham. “I am not saying that other wbsites should necessarily do the same. Every website is different, and prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers.”

The ICO previously said that if complaints are received about websites, it will expect the owners to show how they have considered the new law and “that they have a realistic plan to achieve compliance”.

Publishers have up to a year to comply, Graham said today, but “those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules”.

The new regulations also give the ICO the power to impose financial penalties on telecoms and internet firms that fail to notify the regulator about data breaches, and stronger powers to investigate nuisance marketing calls.