07/06/2013

Too many businesses ignoring cookie consent and risking up to £500,000 fines, Gordons warns

Gordons is warning that too many business websites are still not complying with cookie consent regulations and their operators risking fines of up to £500,000.

Cookies are tracking programs – small text files planted onto users’ computer hard drives when they visit websites. Their main purposes include remembering users when they next visit and tracking their behaviour while browsing the Internet. Their functions also include remembering goods users have placed in baskets, so they can buy these when they finish shopping.

Under the Privacy and Electronic Communications Regulations, businesses must explain clearly and fully to users the purposes for which they use, store and access cookies. Users then have to provide “freely given, specific and informed” consent to these. The agreement sought must also reflect who the users are, so businesses need to consider factors such as their age and level of understanding.

The Information Commissioner’s Office (ICO), which deals with breaches of data protection law, has been actively enforcing the new rules since May 2012 and can levy financial penalties.

However, findings from KPMG in May 2013 indicated half the UK’s biggest websites were still not obeying the rules. The firm analysed 55 major sites, finding a mere 2% sought explicit permission before installing cookies, with only 43% of the rest requesting implicit consent through pop-up notifications. Another 4% complied by not using cookies at all.

Charlie Smith, a solicitor in Gordons’ commercial team, explained: “The types of cookie which the rules do not apply to are those planted solely for transmitting communications over electronic networks and strictly necessary for providing information society services users have requested. Cookies placed on users’ computers purely so websites can remember what they’re buying are therefore exempt.”

Charlie said publication of the KPMG findings should set alarm bells ringing among businesses not currently complying for more than one reason. Not only was non-conformity always risky but the research was likely to make the issue higher profile and increase pressure on the ICO to police the regulations more effectively.

Gordons has produced a guidance note for businesses on how to comply with the rules. This provides a clear, three-stage route to compliance, starting with an audit, to determine the types of cookie used, and ending with installing a suitable banner or pop-up box.

You can download the document here.