United Kingdom


  • Service: Advisory, Risk Consulting
  • Industry: Technology
  • Type: Press release
  • Date: 28/05/2013

Half of UK institutions continue to ignore EU Cookie Law one year on 

  • Failure to adhere to EU Directive leads to questions around compliance with future requirements



A year on from the introduction of the EU Directive on Privacy and Electronic Communications*, analysis of 55 major UK organisations across private and public sectors has found that 51 percent have failed to comply with the legislation and are still potentially breaching user privacy, risking heavy fines of up to £500,000.


KPMG’s analysis of organisational compliance with the law, which was designed to protect internet users from intrusive tracking and marketing material, also shows that some organisations which were compliant 12 months ago are now falling foul of the legal requirements.  Just 2 percent of websites were found to be asking for explicit consent during this latest round of research – a figure dropping from 4 percent in September 2012.


Of the remaining websites analysed, 43 percent only use “implicit” compliance to obtain consent from users before they install cookies that pass on information about browsing activities to third parties. This means that a pop-up box appears on the website explaining the organisation’s cookie policy – something that is left unread by many and simply switched off.


Only securing “implicit” consent is enough to be technically compliant in the UK - although it is insufficient to fully satisfy the requirements of the EU Directive which requires website users’ explicit consent, before cookies can be installed.  Only a tiny minority of the websites analysed (2 percent) actively seek unequivocal permission from site visitors, while a further 4 percent have become fully compliant by not setting cookies on their websites at all.


Stephen Bonner, a partner in the Information Protection and Business Resilience business team at KPMG, said: “A year ago we found 80 percent of websites to be non-compliant, and today that figure has dropped to little over half. Yet while this is a move in the right direction, what we have uncovered is a pretty patchy response to the law at best.


“It begs questions around how organisations will react to future legislation. Organisations seem to have been conditioned into thinking they can ‘get away’ with the barest minimum activity when it comes to cyber space and many will be wondering whether they really have to respond to future directives as they emerge. 


“The fact remains that cookies monitor users’ website activity which, if used without prior knowledge for marketing and other purposes, is a breach of privacy. By adopting this implicit approach, organisations are assuming individuals have previously consented to receiving cookies and this is hardly the spirit in which the legislation was introduced. We would therefore question whether the ‘Cookie Law’ has achieved what it set out to achieve and whether the threat of fines is enough to change organisations’ behaviour.”




Media enquiries:


Mike Petrook, KPMG Press Office

020 7311 5271 (t), 07917 384 576 (m) or mike.petrook@kpmg.co.uk 


Notes to Editors:


* The EU Directive on Privacy and Electronic Communications came into force in the UK on 26 May 2012

About KPMG


KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with over 11,000 partners and staff.  The UK firm recorded a turnover of £1.7 billion in the year ended September 2011. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. We operate in 152 countries and have 145,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity.  KPMG International provides no client services.



Share this

Share this