By Daniel Hunter

A year on from the introduction of the EU Directive on Privacy and Electronic Communications, analysis of 55 major UK organisations across private and public sectors has found that 51 percent have failed to comply with the legislation and are still potentially breaching user privacy, risking heavy fines of up to £500,000.

KPMG’s analysis of organisational compliance with the law, which was designed to protect internet users from intrusive tracking and marketing material, also shows that some organisations which were compliant 12 months ago are now falling foul of the legal requirements. Just 2 percent of websites were found to be asking for explicit consent during this latest round of research — a figure dropping from 4 percent in September 2012.

Of the remaining websites analysed, 43 percent only use “implicit” compliance to obtain consent from users before they install cookies that pass on information about browsing activities to third parties. This means that a pop-up box appears on the website explaining the organisation’s cookie policy — something that is left unread by many and simply switched off.

Only securing “implicit” consent is enough to be technically compliant in the UK - although it is insufficient to fully satisfy the requirements of the EU Directive which requires website users’ explicit consent, before cookies can be installed. Only a tiny minority of the websites analysed (2 percent) actively seek unequivocal permission from site visitors, while a further 4 percent have become fully compliant by not setting cookies on their websites at all.

“A year ago we found 80 percent of websites to be non-compliant, and today that figure has dropped to little over half. Yet while this is a move in the right direction, what we have uncovered is a pretty patchy response to the law at best," Stephen Bonner, a partner in the Information Protection and Business Resilience business team at KPMG, said.

“It begs questions around how organisations will react to future legislation. Organisations seem to have been conditioned into thinking they can ‘get away’ with the barest minimum activity when it comes to cyber space and many will be wondering whether they really have to respond to future directives as they emerge.

“The fact remains that cookies monitor users’ website activity which, if used without prior knowledge for marketing and other purposes, is a breach of privacy. By adopting this implicit approach, organisations are assuming individuals have previously consented to receiving cookies and this is hardly the spirit in which the legislation was introduced. We would therefore question whether the ‘Cookie Law’ has achieved what it set out to achieve and whether the threat of fines is enough to change organisations’ behaviour.”

Digital Marketing moves at lightening pace and marketers need access to the latest information and advice - a new event – The Digital Marketing Show is taking place in Excel, London in November - visit

Join us on
Follow @freshbusiness