95% of firms not ready for cookie laws
By Nicole Kobie
Posted on 10 Apr 2012 at 10:35
The vast majority of new websites don't comply with new cookie consent laws, according to a study from KPMG.
The new law requires sites to ask for consent before dropping cookies onto users' computers. While the EU Directive technically came into force last year, it isn't being enforced in the UK until 26 May - but it appears few sites are ready for the change.
KPMG audited 55 "major" websites, finding only one that specifically asks for user consent and two that said they were being updated to meet the rules by the deadline.
Where to start
Experts recommend three steps to compliance:1) Find out what cookies your site uses, and remove ones that aren't key to your business
2) Alert users to cookies via a prominent link or pop-up
3) Start asking for consent, first in easy places such as logins, before expanding across your site
"Whilst the majority of websites we analysed made a reference to the use of cookies under either the terms and conditions or specific privacy policies, and some also state how the cookies are being used, this is not enough to ensure compliance with the directive," said Stephen Bonner, a partner in the information protection and business resilience team at KPMG.
"Organisations now need to focus their efforts on establishing an inventory of their websites and the cookies currently in use, before evaluating their purpose, and establish a pragmatic plan to ensure compliance," he added.
With more than a month to go before the rules come into force, it's no surprise many sites don't yet offer full compliance - especially as the Information Commissioner's Office (ICO) has no plans for immediate fines.
While those organisations that don't meet the deadline can technically face a £500,000 fine, Comissioner Christopher Graham has said the ICO won't take action against those that are working towards meeting the law.
"When our 12-month grace period ends, there won't be a wave of formal enforcement actions taken against those who aren't yet compliant, but are trying to get there," Graham said last year.
Ironically the ICO website uses a cookie to track whether a user has given permission for cookies to be used.
By 0thello on 10 Apr 2012 
@0thello
On the other hand, without that cookie, they would have to ask on every visit, if the user wants to save the cookie or not...
For a single visit to a site, they could use the session to hold the answer (and all other information they want, as that isn't a cookie)...
Pretty pointless.
By big_D on 10 Apr 2012
Not ironic
0thello's wording seems a bit misleading - "whether" implies that they set a cookie to show if a user has REFUSED permission (which of course would be ironic), as well as if they accepted.
But the cookie is set ONLY IF they tick the box and give permission, so it doesn't have to be ticked again (which is perfectly reasonable). If they don't tick the box, it reappears next time because no cookie has been set (there is no way of actively refusing permission).
By halsteadk on 10 Apr 2012
Why are cookies bad but our government knowing where we've been and who we've been emailing good?
By Mark_Thompson on 10 Apr 2012
When does 'enforced' not really mean 'enforced'?
Whether you agree with it or not, the EU Directive came into force last year. There's been a 'grace period' of 12 months (not unusual) before the legislation is 'enforced' in UK law.
Except it seems that
'enforced' doesn't really mean 'enforced' in the ICO's dictionary, because website owners for whom the change is apparently far too complex to have been achieved in 12 months will be immune from any action as long as they are 'trying to get there'.
How about, instead, slapping the maximum £500,000 fine on any website owner not compliant by the deadline they've known about for a whole year. I wonder how many website owners would still be 'trying for compliance' by the deadline if they'd had any fear of being fined?
Is there any point at all to the ICO?
By PRcons on 12 Apr 2012
EU Department of Inept Legislation
Here we go again.
It is not too long ago that a Windows Update deleted my installed Internet Explorer and forced me to answer a browser ballot so that I could get it back again. At the time, I had 5 browsers installed on my computer. I considered this to be reckless interference, worse than the supposed problem the browser ballot was supposed to solve.
But who do I email in the EU to register a complaint? Anyone got an email address for Neelie Kroes?
Now we find the same ineptness applied to cookies. Browsers can be configured to refuse cookies, accept them, or ask the user to accept or refuse them. Why is that not enough?
The Eurocrats who insist on getting up our noses with this nonsense should be hauled before the European courts for bringing the EU into disrepute (which I gather is an offence).
It's a pity they don't do something useful, such as make it illegal for laptops and mobile phones to be adulterated with unremovable or hard-to-remove crapware prior to purchase, or making it illegal to bundle phones into phone contracts or lock phones to a network, or making it illegal for obnoxious vendors to fight each other over the patenting of different radii of corners for their rectangular boxes with glass fronts, so that users have freedom of choice rather than having to put up with smothering tyranny.
Perhaps I am asking too much to imagine that EU bureaucrats would do something to free people from smothering tyranny.
By fogtax on 12 Apr 2012
Fine 'em back to the Stone Age
PRcons wants to slap a half million fine on every web site owner - well that's me stuffed as everything I own gets nowhere near that. And every every other Mom&Pop website that happens to use Google Analytics has to invent their own wheel to stay out of the workhouse. Crazy! Is crazy!
By andy_g on 12 Apr 2012
Do any European sites comply with the law?
I often use non-UK European websites, and I have yet to be asked for permission for them to set a cookie. Does this mean that all other EU Member States have also delayed implementation by 12 months, or could it just be that the equivalent bodies to the ICO elsewhere are implementing the directive with more of a light touch?
By ianbyrne on 13 Apr 2012
advertisement
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't
- Yes, I write down my passwords
- How to make money from apps
- Hack your own radio transmitter
advertisement
