ePrivacy Compliance: Are UK Businesses Prepared?

George Thompson, Director of KPMG discusses UK Cookie Law Compliance and a recent KPMG survey documenting how global brands are addressing ePrivacy. https://www.ensighten.com/privacy-policy/


Analysis: How UK Businesses Are Preparing
UK Cookie Law Compliance: Implications & Answers
George Thompson, Director, KPMG

George Thompson from KPMG. For those of you who don’t know, KPMG is one of the four largest global accounting and audit companies globally. In addition to audit and accountancy we do quite a lot advisory work in various spaces. My particular field is Information Protection and Business Resilience. And within that team we look at privacy and other areas related to compliance activity assurance, privacy by design, architecture and those kinds of activities.

So today we’re going to talk about The Cookie Monster. The reason I was invited is that we decided to conduct a survey, a survey of the level of compliance that organizations in the UK were taking to comply with the e-cookie, e-privacy requirements that Stewart’s just been talking about.

I can’t say this was a random sample. I can’t say these results are statistically valid. But indeed they are, actually, they include 55 of the largest corporations in the UK. And we chose them by sector so we identified ten sectors and took five. We added government websites and publication sites and so on. Just so we felt we got a reasonable coverage across the sectors. And created the list, got some of our staff to spend time looking at websites. Some of these websites were huge. And what we were looking for is the presence of cookies. Do these websites actually use cookies? And not just cookies, but tags and imbedded JavaScript as well as other devices. Trackers – we were looking for trackers as well.

We looked for the presence of Terms and Conditions, Privacy Policies, anything that would help a user to understand what this website was doing to them. Were they depositing cookies that collected information? Were they installing trackers to feed information to Google Analytics and the others? That required a lot of eyeballs. That’s not something you can set a machine to go and do for you. So we actually had people reading those documents.

And then we looked for the presence of some kind of consent mechanism of the type that has been talked about in the press for the last year or so. And we analyzed the results. And the results are: We found one website that truly requested user consent to deposit cookies. We had two websites stating that in their privacy policy that they would be compliant by the 26th and only ten out of 55 that actually use no cookies and trackers. So, we said that’s 95% non-compliance.

We didn’t take into account the “Continue the Journey” consent mechanism, that may well exist on some. But indeed, that’s the result. Those results got a lot of press. And we’re planning to rerun that next Monday and Tuesday and I expect we’ll be putting out another press statement towards next weekend. So why did we do that? Well, our clients keep asking us what they should be doing. More importantly, our clients ask us, “What are my peers doing? What is my competition doing? What does the regulator expect us to do?” And not just UK regulators, because the organizations that we deal with mostly are multinational. They operate globally. They certainly operate across all of Europe.

And we also help organizations based outside of the EU but want to trade in the EU and sell via websites to the European Union. So they want to know what’s the standard, what is it that I should be looking to achieve, and how do I do that? Do I have to do things on first-party cookies? I can control those. I know those. What do I do about third-parties? Trackers? Adobe? And the Google trackers?

Which websites does this apply to? Corporate website? Kpmg.com certainly. The affiliates, people we do partner with, we do business with. Does that mean if we work with a site do we have to worry about what is on their site? HR services. I’m an employee of a global organization. Does KPMG need my consent to process my personal information that it outsources to my pension provider? Probably not.

The debate is endless in large organizations.
Learn more at: https://www.ensighten.com/privacy-policy/

Learn How to Compete In An Omni-Channel World: https://www.ensighten.com/blog/

Let’s Connect

Google+: https://plus.google.com/+Ensighten/posts
Twitter: https://twitter.com/ensighten
LinkedIn: https://www.linkedin.com/company/ensighten
Facebook: https://www.facebook.com/ensighten


Read More