Privacy watchdog to chase big companies over cookie law

The Information Commissioner's Office plans to quiz 50 large British businesses over whether they are complying with new rules to tell people about cookies on their sites, but does not envisage levying fines at first
Written by Tom Espiner, Contributor

The UK's privacy watchdog is set to chase 50 large businesses over their use of cookies, as a deadline looms for them to comply with a law meant to let people know when their web use is being tracked.

The revised Privacy and Electronic Communication Regulations (PECR) issued in May last year call on public and private sector organisations to get the user's consent before uploading cookies to their computer. Those based in the UK were given a year's grace to do so, but are fast approaching a deadline — 26 May — to be compliant with the cookie law.

Christopher Graham

ICO boss Christopher Graham has said the watchdog will take a soft-touch approach with companies that fail to comply with new cookie rules. Image credit: Jack Putter

On Friday, the Information Commissioner's Office (ICO) said it plans to check that the most prominent users of the web-tracking technology in the UK are following the regulations.

"One of the things we are doing is writing out to the 50 or so major businesses with major website presence to remind them of their obligations, to ask them what they are doing, and to ask them to respond to us within 28 days," deputy information commissioner David Smith said at an event at the London School of Economics. "That is an area we will follow up."

Asked whether Google or Facebook was among those in the letter-writing campaign, Smith declined to give specific names.

"I can't tell you just who's on that list, [as] we're compiling that list at the moment," he told ZDNet UK. "But big multinational users will feature there."

The 50 companies will be asked whether they have carried out an audit of their cookie use. This covers the steps they have taken to check that use; whether they have gauged how intrusive their use is; and how they go about getting consent from users. The ICO will then gauge whether these are in line with its guidance (PDF).

The letters will also go out to some government departments, most of which do not comply with the law at the moment, according to the Cabinet Office.

"They will feature in the 50 which we are contacting," Smith noted. "We will look to complaints that we get about them, and we will follow them up. Government websites should be setting an example here."

Fines 'unlikely'

However, if a site is in breach of regulations, the ICO does not plan to come down hard on its owner straight away. At the moment, it will only act against a company if the watchdog receives complaints about cookie use, and is unlikely to fine any company, according to Smith.

"All we are doing is removing the moratorium, so that any non-compliance is considered as non-compliance," he told ZDNet UK. "It's most unlikely that cookie's non-compliance will attract monetary penalties, unless you have reached criteria about a serious breach or have caused substantial distress."

"Enforcement is likely to be enforcement notice, which places a requirement on an organisation to stop using cookies," he added.

The new regulations do specify that implied consent can be taken if the cookie is vital to the operation of the site — as with online retail sites, for example.

The ICO is increasing the staff in its enforcement department from 21 to 47 as part of its push to make sure businesses are toeing the line. The dedicated PECR team will look at cookies and other topics covered by the regulations, such as spam calls and texts, the ICO told ZDNet UK. It will eventually have five members of staff — three posts have been filled, and two are being recruited.

Editorial standards