Companies face tough new rules on web cookies

A major new European Union directive came into force over the weekend, forcing companies to seek users’ permission before installing data-gathering cookies on their computers.

The EU directive on privacy and electronic communications could leave firms and public sector bodies saddled with fines of up to £500,000 if they fail to comply.

However, internet experts say full compliance could damage online business, with some advising firms not to comply fully.

Cookies are pieces of data stored by a website within a browser. They are designed to allow websites to remember things users have done in the past, such as the pages they have read or links they have clicked on.

Some websites use cookies to compile extensive data on use, and pass this on to third parties, such as advertisers, which can be used to tailor marketing.

The files are stored on a user’s hard drive, to enable targeted advertising and personalised web pages.

Concerns over invasion of privacy and unauthorised use of personal data prompted the EU to implement the directive.

It was enacted in May 2011, but the UK was given a year to conform.

Accountancy and advisory firm KPMG said many firms and organisations are not taking sufficient steps to ensure compliance. Its recent survey of 55 major UK organisations found 95 per cent did not adhere to the legislation.

Only one of the organisations it surveyed specifically asked users to opt in – the directive’s key requirement. “Whilst the majority of the websites we analysed make a reference to cookies in their terms and conditions or privacy policies, and some also state how the cookies are being used, this is not enough to ensure compliance with the directive,” said Martin Tyley, of KPMG’s Northern risk consulting team.

“Organisations need to focus on establishing an inventory of their websites and the cookies currently in use, before evaluating their purpose, and establish a pragmatic plan to ensure adherence.”

But David Bentley, managing director of Wetherby-based web design and digital agency Net Construct, said full compliance with the directive risks damaging firms’ online presence. In the absence of clear and practical direction, we’re seeing companies, organisations and their advisers placed in the difficult position of having to make individual decisions on what to do,” he said.

“At present, doing nothing is legally risky, doing everything could be commercially risky, but doing something properly considered should limit the risk.”

The firm has been rolling out a compliance programme for its clients in recent weeks. This includes changing websites, auditing cookies on websites, reviewing clients’ information management and creating tailored privacy and cookie policies.

E-Consultancy, an independent adviser with more than 100,000 digital professional members, recently surveyed firms and found 82 per cent believe the directive will be bad for business.

Mr Bentley said the new rules are creating considerable confusion, with varying levels of compliance.

“The EU update has created much controversy within the digital world over the last six months,” said Mr Bentley.

“Even the Information Commissioner’s Office (ICO) seems to acknowledge that fully complying at present could cause commercial problems for firms with publicly accessible websites.

“The ICO is saying they are not going to hunt for people who are not fully compliant.

“But if someone complains they may well investigate – and then they’ll want to see you’re at least taking the issue seriously and working towards compliance.

“If e-privacy is dealt with in the same way by everyone, it will be fine.

“But online, it’s not a level playing field across the world or even across Europe.”

[email protected]