Most government sites to miss cookie deadline

The majority of government department websites will miss a UK deadline to be compliant with privacy laws regarding cookies, according to the Cabinet Office.

ICO boss Christopher Graham says the organisation will take a soft-touch approach with companies that fail to comply with the new rules on website cookies. Image credit: Jack Putter

Most public-sector organisations will miss the deadline on 26 May, a Cabinet Office spokesman told the BBC on Thursday.

"As in the private sector, where it is estimated that very few websites will be compliant by 26 May, so it is true of the government estate," a Cabinet Office spokesman told the BBC."The majority of department websites will not be compliant with the legislation by that date."

The Cabinet Office told ZDNet UK on Thursday that departments were making efforts to comply with the regulations.

"Department websites are actively working to achieve compliance at the earliest possible date," the Cabinet Office said in a statement. "We understand that the expectation from the ICO is that organisations both public and private sector need to demonstrate that they are moving towards compliance."

The UK Privacy and Electronic Communications Regulations (PECR) were updated last May to include provisions requiring companies to get user consent before uploading cookies — programs installed on a users' computer to track online behaviour. Organisations were given a year to move towards complying with the regulations.

Soft-touch approach

Information Commissioner Christopher Graham told ZDNet UK in April that his office will take a soft-touch approach with non-compliant organisations that miss the May deadline, as long as companies are making an effort to comply.

"I want people to get on with it, but I'm not going off on some crusade on the 27 May just because it's the 27 May," Graham told ZDNet UK at the Infosec Conference. "We're not going to go round on the day after the year runs out and say, 'Who can we menace?' but, where we need to take regulatory action, the key thing is — well what have you done?"

Organisations do not need to gain consent for cookies that are "strictly necessary" for the operation of the business, according to the regulations.

Cookies such as those that track user interactions with a website — web analytics cookies — are not strictly necessary, said Graham. However, the ICO is unlikely to fine organisations over issues such as web analytics cookies.

"Am I going to go out imposing civil monetary penalties on people using analytics cookies without consent of their customers? The answer is, I've got other priorities. I've 101 things to do. It's all about being proportionate and selective," Graham told ZDNet UK.

If the ICO receives any complaints about organisations' use of cookies, the watchdog will examine whether organisations have conducted an audit of cookies they are placing on computers, and whether companies are working on how to get consent.

In August 2011, SOCITM said that most public sector organisations were not prepared for cookie laws.