Website operators have a year to change the way they use cookies to comply with new laws, the Information Commissioner's Office (ICO) has said. Those that make no effort to change could still face sanctions, though, the ICO said. From tomorrow, UK laws based on the EU's Privacy and Electronic Communications Directive will force websites to obtain users' consent in order to store cookies. Cookies are small text files that record user activity on websites. The ICO, the UK's data protection regulator, has given most operators of consumer websites a year's grace before serious enforcement of the new laws will begin. "Although there isn’t a formal transitional period in the Regulations, the government has said they don’t expect the ICO to enforce this new rule straight away," Christopher Graham, the Information Commissioner, said in a statement. "So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules," Graham said. The ICO said it was allowing the exemption period because there was no adequate technical solution within browser settings to obtain user consent to cookies. The Government has said it is working with browser manufacturers to establish a new system for gaining user consent through their settings. "Browser settings giving individuals more control over cookies will be an important contributor to a solution," said Graham. The ICO said it would respond to complaints about cookies during the exemption period by advising website owners how to comply with the new Privacy and Electronic Communications Regulations, an ICO guide on how it will enforce the regulations said. "[The Information Commissioner] will provide advice to the organisation concerned on the requirements of the law and how they might comply," the ICO enforcement guide (7-page / 132KB PDF) said. "Where he considers it appropriate, and particularly as May 2012 approaches, he will also ask organisations to explain to him the steps they are taking to ensure that they will in fact be in a position to comply by May 2012," the guide said. The ICO recently published guidance on how organisations can comply with the new regulations. It suggested a variety of options websites could use to gain user consent, including prompting users with pop-up questions about their consent to cookies or writing cookie consent into terms and conditions users have to agree to when registering with a site. Website features, such as videos, that remember how users personalise their interaction, could also determine user consent, the ICO said. The Information Commissioner said the ICO website now operates a header giving users the choice how to manage their cookies but said that it may not be an appropriate solution for other websites. "We’ve decided to place a header bar on our website giving users information about the cookies we use and choices about how to manage them," Christopher Graham said in the ICO press release. "I am not saying that other websites should necessarily do the same. Every website is different and prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers," Graham said. Under the new UK regulations the ICO has been given extra powers to impose penalties of up to £500,000 on websites that breach the new regulations, the ICO enforcement guide says. The ICO can also investigate the measures taken by website providers to safeguard the security of public electronic communications, investigate and fine websites depending on how they deal with personal data breaches and can demand information about users to investigate how a website complies with the new regulations, the ICO enforcement guide says. "Along with the power to impose financial penalties on telecoms and internet companies who fail to notify us about their data breaches, we will also have stronger powers to investigate the businesses behind nuisance marketing calls and spam texts," Christopher Graham, Information Commissioner, said in the ICO press release. "Tackling the businesses that make money from this is a challenge, but these new powers will give us access to more of the information we need to do the job," Graham said.
