UK warns popular Web sites to comply with cookie law

LONDON — The Information Commissioner’s Office has sent a letter of warning to 75 of the U.K.’s most popular Web sites asking them to prove within 28 days how they are moving towards compliance with the European Union’s new cookie law.

The list includes government departments and enterprises ranging from Amazon, Apple, the BBC, the Department for Transport, eBay, Google, HSBC bank, Lloyds TSB, , Microsoft, the National Lottery, Network Rail, the National Health Service, the Scottish Government, supermarket chain Tesco, the Cabinet Office, Virgin Media and Yahoo.

The government was forced to revise Britain’s Privacy and Electronic Communications Regulations, which came into force in the U.K. a year ago, to address a new EU directive that demands that businesses and organizations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.

The ICO stated at the time that it would give businesses a 12-month ‘moratorium’ period in which to get their house in order and to comply with the new regulation. This period of preparation is due to finish May 27.

However, it was revealed last week that many private and public sector companies are still not going to be compliant with the directive and that the ICO is now looking to find out whether influential companies have got roadmaps for implementation.

The letter reads: “Our expectation is that you will now be able to demonstrate the action your organisation has taken to comply with the revised rules for cookies.

“If your organisation has not yet achieved compliance, please provide an explanation about why it has not been possible to comply within time, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.”

The companies have been given 28 days to provide this information to the Information Commissioner.

It is also highlighted in the letter that the ICO has a “range of options available” to it to take formal action where companies cannot prove that they are working towards compliance within reasonable timeframes. These options include undertakings, committing organisations to a particular course of action to enforcement notices and possible fines of up to £500,000.

However, in a briefing last week the ICO told journalists that it was unlikely that it would be handing out penalties, as it would have to prove that a breach had caused “substantial distress” to users. It was also revealed that the ICO might give companies years to comply as long as they can prove that they are working within a ‘reasonable timeframe’.