Eighty per cent of UK organisations still not compliant with EU cookie law

Deadline ignored by enterprises despite risk of £500,000 fine

The majority of UK organisations across the private and public sectors are still not compliant with the EU cookie law, despite the deadline for the law to be enforced having passed, according to consultancy KPMG.

In its analysis of the UK websites of 55 major organisations, carried out after the 26 May deadline, KPMG found that only 10 have implemented measures regarded as compliant with the law by gaining users' consent and giving them the option to change cookie settings.

KPMG said that the majority of these 10 websites followed the "implied consent" approach that assumes that users accept the use of cookies unless they change their browsers' settings.

In April, KPMG found that 95 per cent of the UK organisations it surveyed did not comply with the law and, although there has been a 15 per cent increase in compliance, the vast majority of organisations remain non-compliant and risk fines of up to £500,000.

KPMG found that since its first analysis back in March, 40 per cent of websites have now updated or added new policies providing additional detail on cookies, including links to relevant information, although this is not enough for full compliance.

Another 40 per cent of websites have not introduced any changes since March at all. In addition, no organisations had implemented measures for their mobile websites.

Stephen Bonner, a partner in the information protection and business resilience team at KPMG, said that the main reason many organisations were not yet compliant was because the law was confusing.

"There is clearly some progress in that the cookie law has had an effect on a number of website providers. However, what we have also seen is a great deal of confusion around what is actually required to comply with the law. Therefore, many organisations are taking a wait and see approach at this stage. Some also seem to assume that the measures they have taken so far are sufficient – but they are not," he said.

Last month, Kim Walker, partner at law firm Thomas Eggar, told Computing that UK organisations should show some awareness of the new legislation to avoid hefty fines.

Bonner seemed to agree with this approach and emphasised the importance of compliance from a reputational standpoint.

"While there is still much confusion, there is also a call for organisations to adopt a more basic approach towards these requirements; informing customers upfront when you are collecting and analysing information about them builds trust and confidence in your organisation as a whole.

"Organisations should therefore analyse their situation and make sure their full web, as well as their mobile presence, gets in line with the law. The time to act is now, as there have been many complaints to regulators from customers unhappy about their rights not being respected," he said.

Just after the deadline, the Information Commissioner's Office confirmed that it had sent letters to 75 of the biggest organisations to ensure that they are moving towards compliance. The list included Apple, Amazon, the BBC, Google UK, the NHS and the Cabinet Office.