ICO offers businesses cookie law guidance

Internet privacy

The UK's privacy and data protection watchdog has offered businesses guidance on how to comply with an EU law on use of cookies technology.

The law will come into force on 26 May thanks to an amendment to the EU's Privacy and Electronic Communications Directive, requiring companies to get permission from users before tracking activities with cookies.

The Information Commissioner's Office (ICO) has issued a nine-page document, detailing the changes with brief pieces of advice on what businesses should do to comply with the law.

"The implementation of this new legislation is challenging and involves significant technological considerations," said information commissioner Christopher Graham.

"We're responsible for regulating the new law and will undoubtedly start to receive complaints about companies who are using cookies without consent."

Graham admitted the guidance "doesn't yet provide all of the answers" as it was a work in progress.

Prior to the changes, companies only had to tell users how to use cookies and how they could opt out if they wanted to.

The Government has planned a phased approach to the implementation of the new law.

"In light of this, if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance," the document read.

"We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules."

As for how the ICO will enforce the regulations, it said it would release a separate document outlining possible punitive measures against those who do not comply.

Robert Bond, partner at law firm Speechly Bircham and chairman of the ICC UK EBITT Experts Group, said the implementation of the law could have a negative effect on the UK economy.

"While it is laudable that the EU is attempting to increase internet users' privacy, the haphazard way in which the Directive is still being interpreted across Europe coupled with the generic nature of these guidelines means that these changes although certainly necessary in the short term will do some damage to UK Plc's balance sheet to start off with," Bond said.

"The Government is clearly reaffirming their position that businesses must self-regulate and self-audit."

Bond said there were plenty of headaches for businesses to contend with in complying with the new law.

"Businesses who wish to protect their reputation will face a number of costly challenges ranging from extensive internal audits to determine what operational mechanisms they need to put in place, to third party expenses such as legal and IT input on how to become fully compliant," he added.

"There is also a myriad of related complications such as the hosting of third party applications on websites and the lack of consistency across European jurisdictions."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.