UK's New Cookie Law Is in Effect (But Lots Aren't Complying)
UK websites must now ask visitors for permission to store cookies.
Last year, the European Union passed new online privacy regulations that stated all websites across the EU must obtain users permission before storing cookies. Previous laws relating to online privacy stated that website owners must tell people how they used cookies, and explain how to 'opt out' if users wanted to do so. However, new rules say that cookies can only be placed on machines where the user or subscriber has given their consent. The only exception to the new rule is for 'strictly necessary' cases, such as remembering what a customer added to their shopping cart after they have hit 'proceed to check out.'
In effect as of May 26, 2011 websites in the United Kingdom were given 12 months to comply with the new laws. In case you haven't looked at your calendar in a while, today is May 28, which means any website not complying with the law as of Saturday is now in breach of this law. Interestingly enough, the BBC last week reported that the government itself was expected to miss the May 26 deadline.
"As in the private sector, where it is estimated that very few websites will be compliant by 26 May, so it is true of the government estate," a Cabinet Office spokesman told the BBC last week. "The majority of department websites will not be compliant with the legislation by [May 26]."
The spokesperson said that the government was "working to achieve compliance at the earliest possible date" but offered no indication as to when that might be. Of course, preparing your site for a change like this is no easy feat -- websites have to first do a cookie audit to determine what cookies they're storing, and then put together a solution that informs users of what they're collecting and offers them a way to opt out of cookie collection if they wish to do so. In fact, the Information Commissioner's Office has said it's well aware that it will take time to comply. It seems ICO is happy enough to know that websites are on the path to compliance and is very understanding of those that aren't there quite yet.
"We've actually spoken to lots of organisations who are on the road to compliance," said ICO's Dave Evans. "They've told us about the steps that they've already taken [...] so we're aware lots of organisations will be compliant, either already or in the near future," he continued, later adding that the ICO knows it's not an easy task for website owners to undertake.
"From our point of view we have to recognise that this isn't an easy area for people to comply," Evans said. "I think this isn't a matter of just switching off the internet and starting again, it's not so simple as that. There's lots of work involved. For some of the organisations we spoke to, this cookie audit takes a long time because of the sheer number of cookies that they use. So while we recognise that there are issues around how long this is going to take, what we do expect is that anyone who's not ready by the end of May 2012 can at least demonstrate that they've a), taken some steps already, but b), that they've got a realistic plan that at they end of which they'll be able to say they can achieve compliance."
You can read more about the new cookie law and find additional information on compliance over on the ICO's website.