Infosec: Companies uncertain over cookie law changes

Many organisations are struggling to prepare for forthcoming changes to the law requiring web owners to be more transparent about the use of cookies, because the government has yet to release official guidance on the changes, according to information security experts.

Changes to the EU Electronic Communications Framework are set to come into force in the UK on 25 May, and will force online business to get explicit consent to  install cookies on users' PCs.

However, speaking at the Infosecurity Europe show today, Gaynor Rich, head of PCI and payment services, GRBA, at Capita Group, argued that companies face a ‘chicken and egg' situation in that they are reluctant to begin compliance efforts before official guidelines on how to do so have been released by the government.

"Many organisations are struggling with the issue of how you can get consent with cookies because there hasn't been any government guidance," she said.

Experts at the same panel discussion argued that the law around information security is far too fragmented, further complicating compliance efforts.

"The law could be a lot clearer," said Stewart Room, a partner at law firm Field Fisher Waterhouse LLP. "It would be helpful if there were a single ‘Security Act'."

Simon Salmon, head of IT strategy and security at Nottingham City Council, conceded that "broadly speaking the legislation works", but agreed that a single law covering security would be useful as there is a "degree of fragmentation".

Room also maintained that there has been a "total market and regulation failure in the area of data handling" which can only be addressed by giving citizens more power to take erring organisations to court.

"The single thing I would do if I were God for a day is empower the citizen. When a citizen has effective cause of action this can change behaviour," he said.

"At the moment we have one Information Commissioner with a limited number of staff, but if citizens had the power that Europe said they should have, we would have 65 million regulators which would make a great difference."