The Information Commissioner’s Office has sent a letter of warning to 75 of the UK’s most popular websites asking for them to prove within 28 days how they are moving towards compliance with the EU’s new cookie law.
The list includes Amazon, Apple, the BBC, Department for Transport, eBay, Google, HSBC, John Lewis, Lloyds TSB, the Met Office, Microsoft, the National Lottery, Network Rail, the NHS, Sainsburys, Scottish Government, Tesco, the Cabinet Office, Virgin Media and Yahoo. A full list can be found here.
The government was forced to revise the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May last year, to address a new EU directive that demands that businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.
The ICO stated at the time that it would give businesses a 12-month ‘moratorium’ period in which to get their house in order and to comply with the new regulation. This period of preparation is due to finish tomorrow.
However, it was revealed last week that many private and public sector companies are still not going to be compliant with the directive and that the ICO is now looking to find out whether influential companies have got roadmaps for implementation.
The letter reads: “Our expectation is that you will now be able to demonstrate the action your organisation has taken to comply with the revised rules for cookies.
“If your organisation has not yet achieved compliance, please provide an explanation about why it has not been possible to comply within time, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.”
The companies have been given 28 days to provide this information to the Information Commissioner.
It is also highlighted in the letter that the ICO has a “range of options available” to it to take formal action where companies cannot prove that they are working towards compliance within reasonable timeframes. These options include undertakings, committing organisations to a particular course of action to enforcement notices and possible fines of up to £500,000.
However, in a briefing last week the ICO told journalists that it was unlikely that it would be handing out penalties, as it would have to prove that a breach had caused “substantial distress” to users. It was also revealed that the ICO might give companies years to comply as long as they can prove that they are working within a ‘reasonable timeframe’.