The majority of the UK’s eCommerce companies have not implemented changes which bring their websites into line with the latest privacy legislation, a major business advisory firm says.
A survey by KPMG found that over 80% of sites, including many major organisations, had not complied with the European Union’s Directive on Privacy and Electronic Communications, commonly known as the ‘cookie law’.
The directive, which came into force on May 28 and 29, states that eCommerce companies must obtain ‘implied consent’ from users before installing cookies on their machines. Failure to comply with the directive could result in businesses being fined as much as £500,000.
KPMG first analysed the same websites in March and found only one of those assessed was compliant with the forthcoming law. Since then the number has risen to ten, however KPMG says most of these only comply with the bare minimum required by the law.
“There is clearly some progress in that the Cookie Law has had an effect on a number of website providers. However, what we have also seen is a great deal of confusion around what is actually required to comply with the law,” said Stephen Bonner of KPMG.
“Therefore, many organisations take a wait and see approach at this stage. Some also seem to assume that the measures they have taken so far are sufficient – but they are not.”
Bonner called on eCommerce businesses to be more upfront with customers
“While there is still much confusion, there is also a call for organisations to adopt a more basic approach towards these requirements; informing customers upfront when you are collecting and analysing information about them builds trust and confidence in your organisation as a whole.”
Website publishers shluod not be told to go ahead if they want to use cookies. The law in most European jurisdictions require that consent is obtained prior to cookie placement, and regulators across Europe are capable of enforcing it. In addition telling them that they will be able to rely on future Browser Settings will just lead to confusion and disrespect for the law.Consent cannot be assumed from default Browser settings or the absence of Do-Not-Track indications because most citizens do not have the technical knowledge needed to understand them. This was recognised by the data protection regulators and drafters of the law, which has been debated and accepted by the UK parliament and those across Europe.It is possible that browser manufacturers could introduce features in the future that would give visitors the fine-grained ability to register agreement to cookies, but web site publishers would still not be able to rely on that because they may not be able to detect whether a particular visitor was using a new browser and had been given the information required to give their consent. Legal responsibilities rests with the web publishers alone.In any case most of the browser manufacturers get significant income from data aggegation and behavioural tracking and may not be motivated to design features that they think would reduce that.Guidance issued by various data protection regulators and the Article 29 working group has indicated that consent to cookies does not have to be obtained at every visit. It is perfectly acceptable to get agreement once and place cookies without asking on subsequent visits, although it is recommended that the consent shluod expire after a reasonable period. Solutions to the cookie consent issue that allow website publishers to comply with law simply and cheaply are already available. There is no need to rely on, or wait in vain for, mythical browser settings . The commercial interests behind advertising and data aggregating are short sighted to try and obfuscate this issue because they are pitting themselves against the populace. Very many citizens feel there is a lack of respect about how their personal information is acquired and used on the web, and this is leading to lack of trust that could in fact inhibit the acceptance of online commerce. It is also wrong for politicians to take sides with the aggregators for the sake of protecting economic growth.It is common sense that visitors to web sites shluod be made aware if cookies, or any other kind of identifying data, are being place in order to track their online activity, and be given the the ability to refuse them. Ultimately ensuring transparency and honesty in online commerce will lead to more consumer trust and a more sustainable online economy.See my guest post on