Top 5 Tips For Ensuring Compliance With New EU Website Cookies Law

With less than 50 days to go until a major new EU law comes into force governing website cookies, an analysis of 55 major UK organisations across UK private and public sectors found that 95% were not in compliance with the cookie-related requirements of the EU Directive on Privacy and Electronic Communications and are therefore risking fines of up to £500,000.

Cookies are small text files which are used by websites to analyse their visitors’ Internet behavior. The files are stored on a user’s hard disk to enable targeted advertising and personalised web pages. Cookies are also used by e-commerce sites to manage users’ shopping carts.

The directive becomes enforceable UK law from 26 May 2012. From then on, websites need to obtain users’ opt-in consent first if they install cookies that pass on information about browsing activities to third parties. Non-compliant websites may be subject to a fine.

Yet the analysis showed a surprising lack of compliance with only one asking specifically for opt-in which is the key requirement of the directive. Surprisingly, two sites did not use any cookies at all.

With less than 50 days to go before enforcement, the analysis has found that the majority of UK organisations still need to complete substantial work to their websites. Time is running out for them so they need to act to avoid severe financial penalties.

Whilst the majority of the websites analysed made a reference to the use of cookies under either the terms and conditions or specific privacy policies, and some also state how the cookies are being used, this is not enough to ensure compliance with the directive.

Organisations now need to focus their efforts on establishing an inventory of their web sites and the cookies currently in use, before evaluating their purpose and establish a pragmatic plan to ensure compliance.

The analysis was conducted at the end of March 2012 and focused on evaluating cookies set when entering the sites. It also reviewed current terms and conditions and/or privacy policies accessible from the front page. This review revealed that, in addition to the one site already asking specifically for opt-in; only two sites mentioned that they are currently being updated to become compliant before the deadline.

Top 5 Tips for organisations to ensure full compliance of their websites:

1. Perform a review of the use of cookies on your website

2. Evaluate the information obtained from any cookies currently in use, and whether this information is paramount for your organisation

3. Start adding consent requests to cookies related to logon, registration and other similar processes

4. Create a plan to expand this activity to the remainder of your website

5. Don’t waste any more time: Make sure you know which cookies your sites uses, understand the applicability of the law and seek legal counsel if required and have a concise schedule to make your website compliant.

The “EU Directive on Privacy and Electronic Communications” refers to online data protection and privacy. It covers confidentiality of information and the treatment of spam as well as of cookies. The directive came into in effect in May 2011 and will be enforced in the EU states from 26 May 2012.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Joining KPMG in October 2011, Stephen focuses on data privacy issues, records management and IT infrastructure security for a wide range of clients including raising awareness of cyber threats within the financial service sector. Previously Stephen was Managing Director of Information Risk Management and Finance Change at Barclays. He is a regular speaker at e-Crime, InfoSec.