Most government sites to miss cookie deadline

Most government sites to miss cookie deadline

Summary: The majority of government department websites will miss a UK deadline to be compliant with privacy laws regarding cookies, according to the Cabinet Office.ICO boss Christopher Graham says the organisation will take a soft-touch approach with companies that fail to comply with the new rules on website cookies.

SHARE:
TOPICS: Security
1

The majority of government department websites will miss a UK deadline to be compliant with privacy laws regarding cookies, according to the Cabinet Office.

Christopher Graham

ICO boss Christopher Graham says the organisation will take a soft-touch approach with companies that fail to comply with the new rules on website cookies. Image credit: Jack Putter

Nevertheless, data protection authorities are "not going to go off on some crusade" against organisations that miss the deadline at the end of May, according to Information Commissioner Christopher Graham.

Most public-sector organisations will miss the deadline on 26 May, a Cabinet Office spokesman told the BBC on Thursday.

"As in the private sector, where it is estimated that very few websites will be compliant by 26 May, so it is true of the government estate," a Cabinet Office spokesman told the BBC."The majority of department websites will not be compliant with the legislation by that date."

The Cabinet Office told ZDNet UK on Thursday that departments were making efforts to comply with the regulations.

"Department websites are actively working to achieve compliance at the earliest possible date," the Cabinet Office said in a statement. "We understand that the expectation from the ICO is that organisations both public and private sector need to demonstrate that they are moving towards compliance."

The UK Privacy and Electronic Communications Regulations (PECR) were updated last May to include provisions requiring companies to get user consent before uploading cookies — programs installed on a users' computer to track online behaviour. Organisations were given a year to move towards complying with the regulations.

Soft-touch approach

Information Commissioner Christopher Graham told ZDNet UK in April that his office will take a soft-touch approach with non-compliant organisations that miss the May deadline, as long as companies are making an effort to comply.

Read this

ICO publishes advice on cookie law

Businesses should gain consent before placing cookies on customers' computers, according to new advice from the Information Commissioner's Office

Read more+

"I want people to get on with it, but I'm not going off on some crusade on the 27 May just because it's the 27 May," Graham told ZDNet UK at the Infosec Conference. "We're not going to go round on the day after the year runs out and say, 'Who can we menace?' but, where we need to take regulatory action, the key thing is — well what have you done?"

Organisations do not need to gain consent for cookies that are "strictly necessary" for the operation of the business, according to the regulations.

Cookies such as those that track user interactions with a website — web analytics cookies — are not strictly necessary, said Graham. However, the ICO is unlikely to fine organisations over issues such as web analytics cookies.

"Am I going to go out imposing civil monetary penalties on people using analytics cookies without consent of their customers? The answer is, I've got other priorities. I've 101 things to do. It's all about being proportionate and selective," Graham told ZDNet UK.

If the ICO receives any complaints about organisations' use of cookies, the watchdog will examine whether organisations have conducted an audit of cookies they are placing on computers, and whether companies are working on how to get consent.

In August 2011, SOCITM said that most public sector organisations were not prepared for cookie laws.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • The definition of 'essential to site operation' is open to a wide interpretation it seems, the NHS jobs website being a classic example where access to current vacancies is wholly dependant on an ever changing session cookie being present. No cookie, no lookie!

    As for third party advertising cookies...
    Bill Stickers Is Innocent!
    I fail to see how a website can be held accountable for the actions of a third party. In the real world is the owner of a billboard ever prosecuted when somebody takes umbridge at an advertising campaign?
    anonymous