Internet cookie law catches out MPs including justice secretary
Justice Secretary Chris Grayling is among 13 senior MPs whose websites have not been obtaining consent while gathering users' data in tracking files called cookies, the BBC has learned.
Mr Grayling's spokesman said a cookie pop-up window had been "accidentally disabled for a brief period".
But the UK's data watchdog said it would remind all 13 MPs about their compliance with EU privacy laws.
Campaigners say the law, which came into force a year ago, is "unworkable".
The Information Commissioner's Office (ICO), which is tasked with enforcing the e-privacy directive containing the provisions on cookies, refused to confirm or deny that the websites were breaking the law.
Cookies are small text files saved by websites on users' computers to store browsing information.'No privacy risk'
Falling foul of cookie law?
The BBC looked at the constituency websites of the 59 MPs who are either in the cabinet or shadow cabinet, or attend their meetings. Of these, 13 appeared to be using cookies without displaying pop-ups or banners to obtain "informed consent":
- Government: Deputy PM Nick Clegg, Justice Secretary Chris Grayling, Chief Secretary to the Treasury Danny Alexander, Energy Secretary Ed Davey, Northern Ireland Secretary Theresa Villiers and Commons Leader Andrew Lansley
- Opposition: Shadow deputy PM Harriet Harman, shadow chancellor Ed Balls, shadow justice secretary Sadiq Khan, shadow environment secretary Mary Creagh, shadow Northern Ireland secretary Vernon Coaker, policy review co-ordinator Jon Cruddas and the Labour leader's parliamentary private secretary Karen Buck
Since being contacted for comment by the BBC, seven of the 13 MPs have installed cookie pop-ups or banners.
But no such feature appeared when the BBC visited the constituency websites of cabinet members Nick Clegg, Chris Grayling, Danny Alexander, Ed Davey and Theresa Villiers, and cabinet attendee Andrew Lansley.
Senior Labour MPs Harriet Harman, Ed Balls, Sadiq Khan, Mary Creagh, Vernon Coaker, Jon Cruddas and Karen Buck had also not adopted this approach on their constituency websites.
ICO spokesman Robert Parker said it was "difficult" to determine whether each website was complying with the directive or not, and the watchdog would only make sufficient resources available "if we felt that it was causing large numbers of people significant damage and distress".
But he said the ICO would write to the MPs concerned to remind them of their obligations under the law.
A spokesman for Deputy Prime Minister Nick Clegg said it was a "technical oversight" that one of the MP's two websites did not seek users' consent to save cookies to their machines.
"After it was drawn to our attention, we have quickly taken steps to make sure the constituency website is compliant with the directive," he said.
It has emerged that the ICO sent a similar warning letter to Mr Clegg in 2012. "We have not conducted a thorough audit of your site," it said. "This letter does not confirm your site is compliant, or suggest it is not, but is intended to keep you informed."'Most frustrating'
Cookies are small files that allow a website to recognise and track users. The ICO identifies three overlapping groups:
Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long-term and are considered "less privacy intrusive" than persistent cookies.
These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password during each visit.
First- and third-party cookies
A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.
It is classed as third-party if it is issued by a different server from that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.
Ed Davey and Karen Buck said they had taken new steps to ensure their website was compliant with the law. A spokesman for Ms Harman, who is a prominent QC, said that her site had been compliant even without the cookie pop-up, which has since been re-introduced after a "technical issue recently caused [it] not to display". A spokesman for Mary Creagh said her website was being upgraded and would soon contain a cookie widget.
Some types of cookie are exempt from the law.
But all 13 MPs appear to be using Google Analytics on their websites, a widely used service which enables the owners of websites to gather anonymised data about how people browse their websites, for example whether they have visited the site before and how long they spend on each page of the site.
The ICO has said such cookies are not exempt, even though they are "not likely to create a privacy risk" if website owners "provide clear information about the cookies to users and privacy safeguards, e.g. a user-friendly mechanism to opt out from any data collection".
It has also said it is "highly unlikely" to take any formal action against any website using analytics cookies in breach of the law.
He added: "The ICO has the impossible job of policing an unworkable law.
"The most frustrating thing for website owners has been trying to second guess what the law means, as it changes constantly. A lot of time and money has been wasted accomplishing very little.
"The idea of this law is a noble one, it's just a shame it was drafted by a team of technically illiterate octogenarians who couldn't find a button on a mouse."