KPMG said it analysed 55 UK websites on 28 and 29 May and found that only 10 were using measures for obtaining consent to cookies that could be said to be compliant with the UK's Privacy and Electronic Communications Regulations (PECR). None of the organisations' mobile-version websites complies with PECR, the company said.
Cookies are small text files that record internet users' online activity. Websites store the information on a user's computer, but EU laws say users should be allowed to choose whether or not to accept cookies or not. Changes made last year to the PECR mean that website operators must now generally obtain users' "informed consent" to cookies. The Information Commissioner's Office (ICO) began its enforcement of the law on 26 May last month.
KPMG said that most of the PECR-compliant websites it analysed rely on obtaining implied consent to cookies, and that most of the compliance mechanisms introduced do not extend to "secondary sites" the organisations operate. Those secondary sites are "typically" non-compliant with PECR, it said.
The accountancy firm had previously assessed the same 55 sites in March when it found that only one site used measures for obtaining consent to cookies that complied with PECR.
Since its March analysis KPMG said 40% of the websites have "now updated or added new policies" that provide more detail on cookies, but that those measures alone were not sufficient to be compliant with PECR. A further 40% of the websites analysed display no new information about cookies, it added.
"There is clearly some progress in that the Cookie Law has had an effect on a number of website providers," Stephen Bonner, partner at KPMG, said in a statement. "However, what we have also seen is a great deal of confusion around what is actually required to comply with the law."
"Therefore, many organisations take a wait and see approach at this stage. Some also seem to assume that the measures they have taken so far are sufficient – but they are not. While there is still much confusion, there is also a call for organisations to adopt a more basic approach towards these requirements; informing customers upfront when you are collecting and analysing information about them builds trust and confidence in your organisation as a whole."
"Organisations should therefore analyse their situation and make sure their full web as well as mobile presence gets in line with the law. The time to act is now as there have been many complaints to regulators from customers unhappy about their rights not being respected," Bonner said.
In 2009 the EU's Privacy and Electronic Communications (e-Privacy) Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be "freely given, specific and informed".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
Amendments to PECR implemented the Directive into UK law last May. The ICO placed a year's grace on enforcement in order to give website operators time to implement measures in order to comply with the new consent requirements, but that period has now passed.
The ICO can issue fines of up to £500,000 to organisations whose websites do not comply with the Regulations, however in a recent press briefing deputy Information Commissioner David Smith said that a "torrent" of enforcement action should not be expected.
Smith indicated that firms that have at least begun a cookie audit will not immediately face enforcement action, but that it was "too sweeping" to say that website operators could merely work towards compliance "for years" without facing enforcement action.
"The greater the risk to privacy, the more we are likely to use our enforcement powers," he said. "Where we have seen people with sensible timescales we are perfectly happy to work along with those," David Evans, the ICO's strategic liaison group manager for business and industry, added.
The ICO will be keen to talk to companies that do not comply with the consent requirements for serving cookies to find out more about their practices before any infringement notices are served, Smith said. He added that companies would get a chance to respond to such notices before the ICO would make any later decision on whether to fine those firms over the activity.
The ICO has previously issued non-prescriptive guidance on how website operators can meet the new consent requirements.