On 23rd April 2012, we posted our thoughts on the EU privacy law, otherwise known as the Cookie Law, as we were approaching the end of the year’s grace afforded to us by the Information Commissioner's Office (ICO) to become compliant. Websites were potentially facing fines of up to £500, 000 if they weren’t compliant with the law, which required them to explicitly gain consent from visitors to their site before using cookies.
Then in the last month, the BBC reported that the majority of government websites would not meet the deadline for compliance, 26 May 2011. However, it was also reported that the ICO would not take any action on sites who were not fully compliant as long as they were able to demonstrate that they were showing commitment to ultimately be compliant with the law. Needless to say this frustrated some website owners, who had invested time and money in becoming compliant by 26 May 2011.
Now the latest communication from the ICO is likely to go a step further to bewilder and frustrate those website owners and the rest of us. Whereas before they had said that en-masse the general public lacked the necessary insight about cookies for site owners to rely on this, in contradiction to their original perspective on the law ‘implied consent’ is apparently ok, shifting responsibility away from the website owner.
Let’s just clarify that the ICO hasn’t changed the legislation, they are just responsible for enforcing it in the UK. And their new interpretation of the law could lead to us being out of step with the rest of Europe and, later down the line, squabbles in the European Courts.
By no means should any website take this communication from the ICO as a reason to do nothing about the law. Although you may no longer have to gain the explicit consent of every individual user, you still need information on cookies to be immediately visible. The potential fines of up to £500, 000 for sites who the ICO view as noncompliant, certainly haven’t been repealed, but it will come as a something of a relief to sites yet to take any real measures in complying.
Our sympathies are with those sites that invested in adhering to the original guidelines, and we are left questioning why this U turn was left until the last minute. Whether it be the EU or the ICO, yet again you can’t help but feel that none of this has been thought out properly.