Cookie law won't bite for a year

Cookie law won't bite for a year

Summary: The ICO has said it will give businesses 12 months to 'get their house in order' before beginning to enforce new laws compelling organisations to get consent for the use of cookies

TOPICS: Government UK

British businesses have one year to make sure their websites comply with updated rules governing the use of cookies, the UK's data protection authority has warned.

Christopher Graham

Information commissioner Christopher Graham has said businesses will have one year before they have to comply with a new EU law on cookies. Photo credit: Jack Putter/Wikipedia

The amendments to the UK Privacy and Electronic Communications Regulations (PECR), which come into force on Thursday, require companies to gain consent before placing the tracking programs on users' computers. The rules have been updated in line with the EU Privacy and Electronic Communications Directive.

However, the cookie consent laws will not be enforced immediately, information commissioner Christopher Graham said on Wednesday.

"We're giving businesses and organisations up to one year to get their house in order," Graham said in a statement. "This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules."

If the Information Commissioner's Office (ICO) receives a complaint about cookies and lack of consent before 26 May, 2012, it will be enough for the company to demonstrate it is taking steps towards complying with the law to avoid enforcement action, a spokesman for the ICO told ZDNet UK.

"We're expecting organisations to look at the law on using cookies on a website and how they can work towards compliance," the spokesman said. "Websites using a large amount of cookies may take a lot longer [to comply]."

Browser settings

Browser makers are working on settings that imply consent to cookies, but these are not yet technically feasible, according to the ICO. "Endless pop-ups" are also not the best option, as these would "ruin some users' browsing experience", it said in its statement.

The data protection agency has changed its website in line with the updated laws, and it now gives users the option to disable cookies if they wish. However, the trade-off is that some ICO services, such as the online notification form for data controllers, will not be available online if tracking is turned off.

Read this

ICO publishes advice on cookie law

Businesses should gain consent before placing cookies on customers' computers, according to new advice from the Information Commissioner's Office

Read more+

The ICO published its PECR enforcement guidance for organisations (PDF) on Wednesday. The amended PECR rules include tougher sanctions against spammers and grant the data protection authority the power to impose fines of up to £500,000 for unsolicited emails and texts. Enforcement of all the new measures, apart from the cookie law, begins immediately.

The Department for Culture, Media and Sport (DCMS) stressed there should be "no immediate changes" to how UK websites operate as a result of the new EU rules.

"It will take time for workable technical solutions to be developed, evaluated and rolled out, so we have decided that a 'phased-in' approach is right," communications minister Ed Vaizey said in a statement.

On Tuesday, Vaizey sent an open letter to UK businesses (PDF) to reassure them that the government's approach to implementing the updated EU Privacy and Electronic Communications Directive was "light touch" and "business friendly".

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Government UK

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This news to defer the regulation for a year will come as welcome news, as the EU’s directive has naturally been met with criticism from many corners, especially when you look at the example set by the US. Its self-regulation framework has not only avoided such strict compliance, but will also bring a great competitive edge over its European counterparts. Of the millions of US consumers using the internet every day, only a tiny proportion has chosen to opt out of receiving cookies on their computer, implying that the EU overestimates consumer concerns regarding online privacy. A similar self-regulation framework, such as 'Your Online Choices' involving the IAB’s “forward i” icon, offers a comprehensive and compliant system that will be audited by independent experts in the industry. This self-regulatory solution has the full support of the UK Government as it places consumers at the heart of the activity, enabling them to be fully informed. Technology is moving so fast that it should be handled by those that understand the digital environment and the extent of privacy issues affecting consumers.

    Rupert Staines, RadiumOne
    Rupert Staines
  • There may be a one year grace period before enforcement of the cookie law, but it would clearly be wise for organisations to start addressing the issues now so that they have time to test and implement their chosen solution and don’t get landed with a fine because they started preparing closer to the enforcement date than the warning date.

    Solving this problem means you are going to have to first capture the cookies that your site is using, and then build a mechanism to allow users to grant consent. Whilst you could implement this in your application server code I bet you can guess where I think it makes sense to address this. More thoughts on this can be found at
    F5 Networks EMEA