Top UK sites 'do not comply' with anti-cookie law

Most UK e-commerce sites will have to change the way they handle customer data in order to comply with new laws, according to new research

Most of the UK's busiest e-commerce Web sites do not comply with a new UK data protection law that restricts the way companies may store customer data, according to a study.

The Privacy and Electronic Communications Regulations 2003 -- Britain's implementation of the EU Privacy and Electronic Communications Directive, and came into force on 11 December -- makes it an offence for a UK company to send junk email or text messages to personal addresses, unless the recipient is an existing customer or has given their permission to receive such material. Firms who flout the law could face a £5,000 fine for each breach.

The new law also covers cookies, which are small files that are placed on a user's hard drive by a Web site to help it to identify the user. Web sites using cookies will now have to offer clear and explicit information about how the cookies are being used, as well as an option for users to refuse them.

Cookies are generally used to allow sites to remember a user's details, such as login information. If implemented properly, they are generally considered not to pose a threat to users' privacy.

Of the UK's top 90 e-commerce sites, nearly a quarter had no privacy policy at all, and almost none complied with best practice recommendations on cookies, according to a study by e-commerce software maker WebAbacus.

The company examined the most popular e-tailers as defined by Hitwise, including Amazon.co.uk, Tesco.com, Dabs.com, Dixons and Empire Direct, on 10 December. "The findings show that companies are either not aware of the legislation, or are ignoring it," said WebAbacus strategic development director Ian Thomas in a statement, although he said sites are likely to update their practices now that the law is in effect.

There are several possible ways for sites to comply with the law, but best practice is to allow users to turn off cookies for the site with a single click, WebAbacus said. This was offered by only two of the sites examined, those of Dixons and Currys, both part of Dixons Group. This method sends a cookie to the user's PC which contains no personal or identifying information, only telling the site not to send further cookies.

Instead of this method, many sites' privacy policies contain information about blocking in the Web browser's settings. Fifty-three percent had some information about cookies in the privacy policy, while 8 percent had detailed information about cookies and how to block them through the browser. Twelve percent had a privacy policy, but didn't include information about cookies.

Providing information on blocking cookies will probably ensure compliance, according to intellectual property law firm Masons, but this policy is ambiguous because there are many different browsers, each handling cookies slightly differently.

The firm noted that a clause in the law exempts sites if cookies are "strictly necessary" to the site's functioning, an exemption which could make the law difficult to enforce. However, ambiguity will only increase users' uneasiness about how their personal data is being used, Thomas said. "The industry needs to set its own standards and make those standards clear, so that individuals can easily identify Web sites that are behaving responsibly with their data," he stated.

Others have roundly criticised the law's anti-spam provisions for carrying mild sanctions and exempting business e-mail addresses.

IT trade association Intellect last week warned that smaller firms could suffer because of the added cost of managing and storing data, while spam levels would probably not change. "The new regulations have the potential to do more harm to law abiding businesses than to the spammers we are attempting to stop," the organisation said.

Masons offers information about the cookie laws at www.aboutcookies.org.