by Andrew Neilson
This weekend brings with it the 26th May 2012 deadline for compliance with the "Cookie Law." Although website owners will be spending this week working hard to ensure that they are up to speed with the ICO’s (Information Commissioner’s Office) expectations once Sunday arrives, enforcement of the directive is likely to be as reactive as it has been for previous regulations of its kind.
This is despite the fact that—as well as laying out new rules for how websites can deploy cookies and other similar tracking technologies—the PECR (Privacy and Electronic Communications Regulations) update has granted powers of enforcement to the ICO, including the right to impose monetary penalties of up to £500,000 on organisations whose websites are deemed to be in serious breach of the law.
The PECR update, originally issued on the 26th May 2011, has been widely referred to as the "Cookie Law" because the biggest change to the rules relates to how organisations use "electronic communications networks to store information—e.g. by using cookies—or gain access to information stored in the terminal equipment of a subscriber or user." The regulations require that websites consider the user's default position toward cookies—such as those on which Google Analytics relies—to be "opt-in" rather than "opt-out."
The ICO showed clear awareness of the magnitude of compliance work for website owners by announcing a year-long grace period. Some commentators interpreted this to mean that the ICO would begin concentrated enforcement of the directive at the end of this period.
Website owners and providers in the UK—including those of us at VerseOne—have been working hard, dedicating time and resource to making sure that we are following the letter of the law on our own sites and those of our customers.
Now that the ICO has revealed that they will continue to show a degree of leniency and flexibility towards non-compliance—even after their own deadline passes—the appropriateness of the regulations has come into question. Unsurprisingly, web marketers in particular continue to suggest that the update to the PECR is out of touch with the way that the web industry operates.
Others will simply be relieved that the ICO is not going to rule with a heavy hand, and perhaps take comfort in the fact that government websites themselves are struggling to achieve compliance before the deadline.
It is debatable whether the ICO will ever be able to enforce the directive effectively, but its position of leniency certainly reveals the scale, and the levelling effect, of the "Cookie Law" as all website owners find themselves in the same boat.