Latest Guideline from ICO on the Cookie Law

On the 13th December the Information Commissioner’s Office released its latest guideline on the Cookie Law, with a clear statement to website owners: “Must try harder”. The ICO has a range of options to ensure that organisations comply with the law; in severe cases the ICO can impose enforcement notices and fines up to £500,000.

The ICO are the government body who have the role of enforcing the Cookie Law. The law has been in place since the 26th May 2011 and the grace period for complying with the law ends on the 26th May 2012.

Website Owner Guidelines

The ICO has updated its guidelines on what it expects website owner to be doing and working on, to be in compliance with the Law. The guidelines also provide some examples on how a website can be altered to comply with the law and which forms of cookies should be targeted first.

The cookie Law is there to protect the rights of an individual to browse the internet, without the fear of being tracked; also, that a website owner must gain consent from the user before storing a cookie on the users device. Except where a cookie is “strictly necessary” for providing a services like remembering the goods within a user’s basket.

For full details read latest guideline on the Cookie Law, provided by the ICO.

Half term report on cookies compliance

Based on the half term report on the cookies compliance, the overall Impression that the ICO has is:

• It would be naive in the extreme to suggest that every website is well on the way to being compliant with the new rule. 
• If your website uses cookies and you are not doing anything to get consent then you are not compliant. 
• People have not been slow to express their alarm at what this new rule means but they have been slow to demonstrate what they are doing to comply.

Enforcement and penalties

The ICO aim is to ensure that organisations comply with the law. Where organisations refuse or fail to comply, the ICO has a range of options:

Information notice

this requires organisations to provide the Information Commissioner with specified information within a certain time period.

Undertaking

this commits an organisation to a particular course of action in order to improve its compliance.

Enforcement notice

this compels an organisation to take the action specified in the notice to bring about compliance with the Regulations. For example, a notice may be served to compel an organisation to start gaining consent for cookies. Failure to comply with an enforcement notice can be a criminal offence.

Monetary penalty notice

a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met, if any person has seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.