Online outlets 'must try harder' to comply with cookies law

The Information Commissioner has released a half-year report after the introduction of new EU legislation on accessing information on user's computers, in which he says websites "must try harder" to comply.

Commissioner Christopher Green has also released new guidance on the rules, which mean websites are required to obtain consent from visitors in order to store and retrieve usage information from their computers such as cookies.

The guidance reminds website owners that cookies, which are used for "analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules".

It also calls on websites to be "open and honest about how they work" in order to give users of the site "a general level of understanding about what is likely to happen on the pages they use".

The guidance also sets out the accepted form of consent, which "must involve some form of communication where the individual knowingly indicates their acceptance".

"This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent."

In terms of third party cookies, such as those which may be dropped by the inclusion of Facebook and Twitter buttons on a site, the guidance states that "the person setting the cookie is ... primarily responsible for compliance with the requirements of the law".

"Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this.

"It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together."

The guidance recommends third parties "may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent".

However the Information Commissioner's Office (ICO) has said its regulation of the rules will be focused on "the most intrusive cookies or where there is a clear privacy impact on individuals".

"The guidance we've issued today builds on the advice we've already set out, and now includes specific practical examples of what compliance might look like," Graham added in a statement.

"We're halfway through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12-month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there."

But he said that many sites still "need to get to work" on "implementing the law".

"Our mid-term report can be summed up by the schoolteacher's favourite clichés "could do better" and "must try harder."

"... Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations," he added.

"Those actually running websites are far better placed to know what will work for them and their customers."

The new legislation was the result of an amendment to the EU's Privacy and Electronic Communications Directive.

While the ICO is able to issue fines of up to £500,000 to websites - including publisher sites - which fail to comply, senior policy officer Katherine Vander told Journalism.co.uk in June this year that financial penalties would only be faced by "persistent offenders".

Free daily newsletter

If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).