British websites have until Saturday to comply to new requirements demanding web sites disclose the dissemination of cookies to visitors.
Under the regulations, web sites would be required to disclose when cookies were used and why.
One such message on web site Virgin Money Giving read:
The deadline was 12 months after the British Information Commissioner (ICO) announced the enforceable requirements.
In March last year, Commissioner Christopher Graham admitted that the roll-out of this new law would be a challenge, but said that it will have positive benefits as it would give people more choice and control over what information businesses and other organisations can store and access.
With the laws due to be enforced from 26 May 2011, Graham announced that websites would be given a year's grace, saying that excessive pop-ups would "ruin some users' browsing experience", but that the law would give consumers more choice when it comes to what companies know about them.
“Although there isn't a formal transitional period in the regulations, the government has said they don't expect the ICO to enforce this new rule straight away. So we're giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
Halfway through the year, Graham said website owners "must try harder" to comply with the cookie law as very few sites were perfectly compliant from day one, but good things were being done.
With regards to this week's Saturday deadline, Graham said in December that there would "not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant", and those working towards compliance should keep going.
He said: “If you haven't started yet, you need to be reading the advice, speaking to your peers, looking at how other websites inform and empower their users.
“But if you have decided that this is all too difficult, that you don't want to give your users choices about how your web pages might collect information about them, or that you will get around the law by willfully misleading people about what you do and how you do it, then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.”
He also admitted that there was no silver bullet solution and he was not expecting an invention. “If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take,” he said.
So it is probably fair to say that the ICO will not be handing fines out come Monday morning, having spent the weekend scavenging the internet for non-compliant sites. It is more likely to focus on larger websites and await customer feedback on cookie non-compliance.
Phil Lee of law firm Field Fisher Waterhouse said the year of grace has had a number of positive effects, specifically shining a light on how little many website operators really knew about what they and others were collecting.
“It has also encouraged a greater level of transparency around online data collection and has encouraged the development of some innovative cookie control solutions,” he said.
He recommended: auditing your cookie use and working out what you've got; assessing the intrusiveness of your cookies; adopting a notice and consent strategy (express or implied) appropriate to the intrusiveness of your cookies; and implementing forward-facing cookie management mechanisms.
Eduardo Ustaran, partner at Field Fisher Waterhouse, said no one will get fined for cookie consent breaches under the current UK law as the threshold for monetary fines in the UK is so high as to make them unlikely.
He said: “However, it would also be extremely foolish to assume that in the absence of fines, non-compliant websites are simply off the hook. Quite the opposite. The ICO will focus instead on ensuring that infringing sites are forced to get their house in order within a limited period of time; therefore both undertakings and enforcement notices will become the preferred enforcement tool in this area.”
The end of the year's grace is also stirring media reports about the lack of preparation. A report by BBC News said that the "majority" of the UK government's own websites will fail to comply in time, with a Cabinet Office spokesman saying that the affected sites range from those run by local councils to national departments.
A report by ComputerWorld UK said that this week the ICO will issue a letter of warning to the UK's ‘top 50' websites, which include those of central government departments. David Smith, deputy commissioner at the ICO, confirmed this.
Also, another report by Computer World claimed that the ICO may give organisations with complex website environments years to comply with the law, allowing some to work to “sensible timelines” to achieve compliance.
Jonathan Armstrong, lawyer at Duane Morris LLP, said: “The debate over the use of tracking tools on websites has been developing for some time. Many website operators simply do not know how many cookies are on their sites.
“Businesses may want to check their sites to determine where they are using cookies and what those cookies are doing and they also may want to stop using unnecessary cookies, especially those sending data to third parties. Businesses may then develop ways of informing visitors to their sites what is happening to their data and getting consent to those practices. Given that the law is still in a state of uncertainty, transparency should be the guiding principle of any business in its online activities.”
As Armstrong said, this should be about transparency, and while the ICO will not crack down immediately on those who have not been compliant, it will want to see some effort on becoming so.
Who knows, that could even be minutes from a meeting where compliance was discussed, or a full-scale roll-out plan for the corporate website. As ever with compliance, it is better to do something rather than nothing.