Companies in confusion over ‘cookie’ laws

Companies across Europe are in a state of confusion over what they need to do to comply with new internet privacy laws that come into force on Thursday.

The way that most companies currently collect information about people who visit their websites – using so-called “cookies” or small pieces of tracking code – will become illegal under the new European Union rules, and punishable in the UK, for example, with fines of up to £500,000 ($813,000).

Companies operating in the region must now get permission from web users for this kind of tracking, but there is little guidance on how they should do so.

Internet companies such as Facebook and Google are particularly concerned that the new laws could put their businesses in jeopardy, and advertisers are worried that the market for highly targeted internet advertising – worth nearly £100m a year in the UK alone – could be damaged.

The laws will touch every company that does business over a website. Any site that sells products or carries advertising will use cookies. Cookies can track items that a customer is putting into a website shopping basket, for example, or note the web pages individuals visit and send this information to advertising companies. Most websites will have between 10 to 20 cookies; big corporations with multiple websites could have hundreds or even thousands in use.

In the UK, the government issued three clarifications in the past two days, attempting to reassure companies that they will be given time to comply. The UK Information Commissioner’s Office said it could give companies up to a year to change their websites.

However, Peter Gooch, privacy expert at Deloitte, said few companies had activated plans to change their websites.

“I haven’t seen any of the big organisations outline a strategy of what they will do. They are playing the waiting game. If you stick your neck out with a solution and there is a bad consumer reaction against it, it could be very damaging,” he said.

“The guidelines produced by the ICO seem to pose more questions than answers,” said Andreas Edler, managing director of Hostway, which provides internet services for a number of small business clients. “It still is unclear ... what changes users need to make in order to comply with the legislation.”

Hiscox, the insurance company, has said it is concerned about the increased risk of litigation for the technology and marketing companies it insures.

“There is concern that companies can be fined or have a case brought against them by a group of individuals who feel their privacy has been violated,” said Alan Thomas, head of technology and media at Hiscox.

Internet marketeers say getting permission from consumers to collect their data could be difficult.

“People are panicking a bit and wondering how this will mess up their analytics,” said Dennis Dayman, chief privacy officer at Eloqua, a company which provides technology to marketing companies.

“Getting consent is difficult. As soon as you raise it people start to think there is something sinister in what you are doing. We are going to have to work on new ways of getting consent,” said Ben Cooper, a director at Tullo Marshall Warren, the digital marketing agency.

Online privacy is becoming a growing issue for consumers. Large scale data loss incidents, such as the hacking attack on Sony’s PlayStation Network, are making people increasingly question what details companies should collect and keep about them.

A test case may be needed before the law is clarified, Mr Cooper said. “There will be one or two high profile organisations that fall foul of the law. That will help test the boundaries.”

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't cut articles from and redistribute by email or post to the web.