David Smith, deputy commissioner at the Information Commissioner’s Office (ICO), has said that government departments will feature on a list of the top 50 websites due to receive a letter of warning from the regulator over non-compliance with new EU cookie laws ‘within days’.
However, the information regulator also said that it is unlikely to exercise its ability to fine companies up to £500,000 for non-compliance unless a breach causes "substantial distress".
The government was forced to revise the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May last year, to address a new EU directive that demands that businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.
The ICO stated at the time that it would give businesses a 12-month ‘moratorium’ period in which to get their house in order and to comply with the new regulation.
However, this period of preparation is due to finish on 26 May and the ICO will issue a letter of warning to the UK’s ‘top 50’ websites, which is set to include central government departments.
“We will be writing to 50 key websites within the next few days. These will be websites were we see no signs of the right steps being put in place,” said David Smith, deputy commissioner.
“The letter will ask them to inform us what measures they are taking and they will be required to respond to us within 28 days. We will then review those responses and decide what steps to take.”
Although Smith wasn’t willing to be specific about what websites were on the list, he added: “It will include government websites, there are no special measures for anybody here.”
The Cabinet Office has revealed that although many government websites are working towards compliance, they are unlikely to be compliant by next week's deadline.
“Department websites are actively working to achieve compliance at the earliest possible date,” said a spokesperson.
“We understand that the expectation from the ICO is that organisations both public and private sector need to demonstrate that they are moving towards compliance.”
Belinda Doshi, partner at law firm Nabarro, said that the government’s lack of compliance with the new directive did not send a good message to the private sector.
“Many businesses will quite rightly ask, why have they spent time and money on cookie compliance when the government hasn’t?”
“This sends a very poor message to business that government is happy to agree and implement new EU regulation, but does not intend itself to comply with it," she said.
Smith was, however, keen to highlight that although that the moratorium period has come to an end, this did not mean that the ICO was going to launch a “torrent of enforcement action”.
“What it really means is those complaints about websites that don’t get consent for cookies will now go into the normal processes we would take in assessing whether to use our enforcement powers,” explained Smith.
He said that this depended on a number of factors. For example, the ICO will pay more attention to websites using ‘intrusive cookies’, such as those that are used for tracking to generate revenues for advertising based on a users’ online behaviour. Whereas cookies used for simple analytics are likely to get less attention.
The ICO is also unlikely to use its ability to fine companies as it believes a breach of the cookie law is unlikely to meet the requirements it would need to issue such a fine.
“To issue a fine there has to be a serious breach. It has to be one that is likely to cause substantial damage or distress to individuals,” said Smith.
The ICO is more likely to use its notice powers to encourage companies to comply, said Smith. Effectively, it will write to companies that aren’t taking steps to comply with the new regulation, providing timeframes to do so. If these companies fail to achieve compliance within the given timeframe, this then becomes a criminal offence and the ICO can prosecute.