Privacy watchdog to chase big companies over cookie law

Privacy watchdog to chase big companies over cookie law

Summary: The Information Commissioner's Office plans to quiz 50 large British businesses over whether they are complying with new rules to tell people about cookies on their sites, but does not envisage levying fines at first

TOPICS: Security

The UK's privacy watchdog is set to chase 50 large businesses over their use of cookies, as a deadline looms for them to comply with a law meant to let people know when their web use is being tracked.

The revised Privacy and Electronic Communication Regulations (PECR) issued in May last year call on public and private sector organisations to get the user's consent before uploading cookies to their computer. Those based in the UK were given a year's grace to do so, but are fast approaching a deadline — 26 May — to be compliant with the cookie law.

Christopher Graham

ICO boss Christopher Graham has said the watchdog will take a soft-touch approach with companies that fail to comply with new cookie rules. Image credit: Jack Putter

On Friday, the Information Commissioner's Office (ICO) said it plans to check that the most prominent users of the web-tracking technology in the UK are following the regulations.

"One of the things we are doing is writing out to the 50 or so major businesses with major website presence to remind them of their obligations, to ask them what they are doing, and to ask them to respond to us within 28 days," deputy information commissioner David Smith said at an event at the London School of Economics. "That is an area we will follow up."

Asked whether Google or Facebook was among those in the letter-writing campaign, Smith declined to give specific names.

"I can't tell you just who's on that list, [as] we're compiling that list at the moment," he told ZDNet UK. "But big multinational users will feature there."

The 50 companies will be asked whether they have carried out an audit of their cookie use. This covers the steps they have taken to check that use; whether they have gauged how intrusive their use is; and how they go about getting consent from users. The ICO will then gauge whether these are in line with its guidance (PDF).

The letters will also go out to some government departments, most of which do not comply with the law at the moment, according to the Cabinet Office.

"They will feature in the 50 which we are contacting," Smith noted. "We will look to complaints that we get about them, and we will follow them up. Government websites should be setting an example here."

Fines 'unlikely'

However, if a site is in breach of regulations, the ICO does not plan to come down hard on its owner straight away. At the moment, it will only act against a company if the watchdog receives complaints about cookie use, and is unlikely to fine any company, according to Smith.

"All we are doing is removing the moratorium, so that any non-compliance is considered as non-compliance," he told ZDNet UK. "It's most unlikely that cookie's non-compliance will attract monetary penalties, unless you have reached criteria about a serious breach or have caused substantial distress."

"Enforcement is likely to be enforcement notice, which places a requirement on an organisation to stop using cookies," he added.

The new regulations do specify that implied consent can be taken if the cookie is vital to the operation of the site — as with online retail sites, for example.

The ICO is increasing the staff in its enforcement department from 21 to 47 as part of its push to make sure businesses are toeing the line. The dedicated PECR team will look at cookies and other topics covered by the regulations, such as spam calls and texts, the ICO told ZDNet UK. It will eventually have five members of staff — three posts have been filled, and two are being recruited.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I read that many of the governments own websites are not yet compliant...shouldn't they sort that out before chasing others - slightly hypocritical !
  • Hi All I have looked into the cookie law today, there are a few solutions that these websites can use. Just add the widget and update your policy page.
    Take a look at one kid of widget:
  • @Crupal.. How does refusing your websites cookies help my privacy? A quick look at your page script reveals four sets of code provided by 3rd parties (Google analytics, Helponclick, Sharethis, Silktide) that are known to be (or at least be capable of) profiling a visitors PC and tracking it across the web. In addition two external images (itp-88-31.gif, computer-repair-100.gif) can also be used to obtain information about a vistors PC in a similiar manner. Whilst not as 100% accurate as tagging a visitor with a cookie the results can still be very revealing see for a demo and see how unique your PC is ;)
  • Your correctness about Government websites not being compliant with their own websites is correct. Most criticism of other people takes so many resources the locally available problems are often ignored. This site might ignore the fact this comment is a reply to another comment.