British firms’ reluctance to implement anything but the bare minimum when it comes to the EU cookie law, does not bode well for the adoption of new legislation – including the proposed upgrade of EU data laws – according to KPMG.
The warning comes after the company published research showing more than half of businesses are still not compliant with the cookie directive, a year after the legislation was introduced.
The picture is confused due to advice issued by the UK Information Commissioner’s Office. The EU directive calls for “explicit” consent, yet the ICO watered down this demand by allowing firms to opt for “implied” consent.
KPMG analysed 55 major UK organisations across the private and public sectors, and found that 43% used “implicit” compliance to obtain consent from users, meaning that text appears on the website explaining the organisation’s cookie policy. Only 2% of websites were found to be asking for explicit consent, down from 4% in September 2012.
Only 4% of organisations have become fully compliant by not setting cookies on their website at all.
However, Stephen Bonner, a partner at KPMG’s information protection and business resilience team, believes that organisations’ reactions to the cookie law could have future consequences.
“It begs questions about how organisations will react to upcoming legislation. Organisations seem to have been conditioned into thinking they can ‘get away’ with the barest minimum activity when it comes to cyber space, and many will be wondering whether they really have to respond to future directives as they emerge,” he said.
“The fact remains that cookies monitor users’ website activity which, if used without prior knowledge for marketing and other purposes, is a breach of privacy.
“By adopting this implicit approach, organisations are assuming individuals have previously consented to receiving cookies and this is hardly the spirit in which the legislation was introduced,” he said.
Bonner’s comments are all the more prescient given concerns surrounding the draft EU Data Protection Regulation currently being debated in Brussels. Some have questioned whether it will result in all marketing data requiring an opt-in, under a new “explicit” consent mandate. However, the EU has insisted this will not be the case; a response which has been met with some scepticism.
The ICO’s advice is to adopt best practice now, in preparation for the new regulation. But, if the findings of this report are to be believed, some companies will be hoping to get away with doing the bare minimum; others are likely to do nothing at all.
Related stories
87% clueless on cost of EU laws
EU data: Don’t get mad, get ready
Clock ticks on EU after new delay
EU: ‘Don’t panic, don’t panic’ – ICO
EU data laws ‘may never be passed’
Sceptics blast EU consent claims
Industry hails EU ‘extra time’
EU data laws enter the ‘hot phase’
EU data law: ‘It’s the DMA wot won it’
Does anyone give a toss about DM?
MEPs pass 900 amendments to data laws
DM chiefs urged join war on EU laws
First victory in war on EU data laws
EU: Full steam ahead on new laws
Bosses ‘clueless on new EU laws’
EU data laws ‘just got a lot worse’
Germans seek tougher EU data laws
DMA rallies team for £47bn fight
New EU data laws ‘to cost millions’
UK doing ‘bare minimum’ on privacy http://t.co/hoEfFoYMJk
Uk firms doing bare minimum on privacy. http://t.co/tfmC7LqjoJ