In recent weeks, 50 major organisations have been forced to toil away on replies to letters from the UK Information Commissioner, asking how they intend to comply with EU rules on privacy and computer cookies.
Each organisation was given a strict window of opportunity in which to set out its compliance plans, once it emerged that most UK-based websites would miss a late-May deadline to fall in line with the relevant laws. To meet their obligations, webmasters had to implement tools enabling users to give ‘informed consent’ over cookies: pieces of software that retain data on people’s online habits, so that websites can recognise returning visitors and provide targeted adverts.
Spurred by concerns in European governmental circles over the privacy implications of storing such data, the EU’s Privacy and Electronic Communication Regulations (PECR) were issued in May 2011. And as Chris Saunders of Mundays Solicitors wrote on NewLegal Review last year, the UK had managed to secure one year’s grace for complying. With that period now squandered, the Commissioner’s office is keen for leading private-sector bodies to set out their plans.
In a recent talk at the London School of Economics (LSE), deputy information commissioner David Smith stressed that ‘big multinational’ players were in the spotlight. Smith admitted that achieving compliance could be ‘very complex’ for companies with more sophisticated web offerings, as they ‘may not even know which cookies they are using and what they do’. Online journal Computer Active read that remark as a sign that the Commissioner would take a ‘softly-softly’ line – but that seems unlikely, given the stature of organisations that the Commissioner has pursued, all of which will be glad that the list hasn’t been made public.
Ironically for the Commissioner, at the same time that it became clear private-sector bodies would miss the mark, the Cabinet Office announced that the ‘majority’ of government department websites would also ‘not be compliant with the legislation’. While government websites do not feature advertising, cookies are still used to carry out various other tasks, such as helping site managers to monitor visitor behaviour and traffic levels. The Cabinet Office stressed that it was ‘working to achieve compliance at the earliest possible date’.
Although this may seem at first glance to be a situation worthy of satire – government unable to achieve compliance on a law it has nonetheless implemented – it is hard to avoid the impression that there is a glaring double standard here. The government cannot fine itself – but it is more than prepared to put pressure on companies that don’t have the same defence.
According to Stephen Bonner – partner in the Information Protection and Business Resilience team at auditing firm KPMG – the situation for those companies could be very serious. Following a recent survey of 55 leading UK corporations, the firm predicted that PECR compliance in the private sector would be very low – and Bonner stressed that most companies were only paying lip service to the regulations.
‘Time is running out for them – so they need to act to avoid severe financial penalties.’
The Information Commissioner’s office – which is ultimately in charge of enforcing the PECR – can employ a number of measures to penalise failure or refusal to comply voluntarily with the regulations. These include ‘Undertaking’ and ‘Enforcement’ notices compelling organisations to take the actions specified therein to achieve compliance. Resistance to these notices will count as a criminal offence.
Offenders will be required to pay fines of up to £500,000 per violation, where they are deemed to have ‘seriously contravened the regulations’ in such a way that the contravention is ‘likely to cause substantial damage or distress’. Violations must either be ‘deliberate, or the person must have known – or ought to have known – that there was a risk that a contravention would occur, and failed to take reasonable steps to prevent it’.
So, even though it is unlikely that formal action will be taken if cookies have a low level of intrusiveness and risk of harm to individuals, it is clear that organisations can only benefit themselves by demonstrating that they have done everything in their power to provide users with clear details of how to make cookie choices.