'Action needed' to meet UK's cookie tracking deadline

There are on average 14 tracking tools per webpage on the UK's most popular sites, according to a study.

Privacy solutions provider Truste suggests that means a user typically encounters up to 140 cookies and other trackers while browsing a single site.

The research was published less than 40 days before strict rules come into effect governing cookie use.

The study was carried out in March and covered the UK's 50 most visited organisations.

The firm said that 68% of the trackers analysed belonged to third-parties, usually advertisers, rather than the site's owner.

"The high level of third-party tracking that is taking place is certainly an area of question and scrutiny," Dave Deasy, Truste's vice president of marketing, told the BBC.

"It's not illegal to do the tracking - the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data."

On 26 May the UK's Information Commissioner's Office (ICO) imposes an EU directive designed to protect internet users' privacy.

The law says that sites must provide "clear and comprehensive" information about the use of cookies - small files which allow a site to recognise a visitor's device.

It says website managers must:

"The information needs to be upfront - without information people can't give consent," the ICO's principal policy adviser for technology, Simon Rice, told the BBC.

The ICO says the rules cover cookies used to provide information to advertisers, count the number of unique visitors to a page and recognise when a user has returned to a site to adjust the content that is subsequently displayed.

However, it says exceptions are likely to be made if the cookie is only being used to ensure a page loads quickly by distributing the workload over several servers, or is employed to track a user as they add goods to a shopping basket.

Many sites have yet to add a feature asking for users' consent.

95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month, the accountancy firm reported .

Truste acknowledges that the vast majority of those who took part in its study had published a privacy policy - but adds that only 16% had a summary section that was "easily digestible", and 80% did not disclose how long data about visitors was retained.

The move has proved controversial.

A survey published last month by the digital marketing firm, Econsultancy, found that 82% of 700 marketers contacted did not believe the cookie law was a positive development.

One respondent said: "Plain and simple - this will kill online sales."

The claim reflects a belief that when presented with a choice, most users would refuse to allow cookies to track them - making it impossible, for instance, for a retailer to target adverts for a computer at a user who had previously looked at an article about upgrading IT equipment.

The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.

However, BT's experience points to a possible solution.

Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.

"So far, we can see that customers are generally choosing to keep the cookies that we use to provide the best experience on our webpages," a spokeswoman told the BBC.

The ICO says it has not been prescriptive about the wording that firms use.

However, organisations need to be careful about relying too heavily on opt-out schemes.

"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.

It adds that those who fail to implement its rules properly could be fined up to £500,000.

Truste says companies across the EU and beyond will closely watch how the regulator enforces the directive.

"A lot of this starts with making sure companies understand what level of third-party tracking is actually happening on their sites - in many cases they don't," said Mr Deasy.

"The UK is somewhat taking a leadership role in terms of actually following through and having a hard date for when compliance needs to start taking place."