Friday 17 August 2012

Cookie enforcement: An opportunity for an unjust swipe at the ICO?

If you point your browser to pcpro today you won’t get much of a surprise. You’ll see a recent article by Nicole Kobie reporting that later this month, a team at the Information Commissioner’s Office will start to analyse the on-line submissions that have been sent to them setting out concerns about the way some 320 websites are following the new cookie rules.

This news has polarised those who have posted their own comments on the article.

Most commentators appear shocked that the ICO has not acted sooner (but they have not commented on where the enforcement resources would have come from, and what the ICO should not have done in order that cookie analysis could start earlier). Only a few commentators have pointed out the gap between expectation and funding, or have pointed out that there is a huge difference between a, independent regulator established to oversee compliance with the law (which is what the ICO is) and a privacy watchdog /activist with the aim of enforcing individuals rights above the rights of other stakeholders (which the ICO is not).

So many people have such high expectations of the ICO. But the ICO’s budget is not limitless. Given current funding levels, it simply can’t react to every issue that emerges. And when it does decide to investigate an issue, it can take some time. After all, how many months has the investigation into SPAM texts been going on – you know, the ones which tell you that you are probably eligible for compensation following a recent accident or a Payment Protection insurance miss-selling on your credit card or loan? And how many more months will go by before we stop getting these texts?

Full marks, though, to the ICO for what appears to have been some nifty footwork. So many organisations are obsessed with hitting targets and performance indicators these days. So what has happened to the 320 cookie reports that have been made to the ICO? Have each of these been treated as an individual complaint, meaning that they each need to be resolved within a fixed period, otherwise someone at the ICO gets a kicking?


According to Nicole Kobie: The ICO added that sites reported via the online tool may not necessarily be investigated, saying they "are not being taking forward as individual complaints", adding that "the purpose of this feedback form is to help us to monitor organisations’ adherence to the rule relating to cookies, and identify sectors where further advice or enforcement activity may be required".

So that’s all right then. They are not individual complaints. If you want to submit a complaint to the ICO about cookies, rather than just register a concern, you shouldn’t expect to do so using this form. And, in fairness to the ICO, when you complete the online submission form, you are given no expectation that they will be treated as an individual complaint, either. Here’s the relevant text on the splash page:

Please use this form to report your concerns about specific cookies or similar technologies being used by websites. We will use the information you provide to:

• Monitor organisations’ adherence to the rule relating to cookies, including the provision of appropriate information about cookies to users;
• Identify sectors where ICO contact or enforcement activity may be required; and
• Identify areas where further ICO guidance may be required.
We will not collect your contact details as our intention is to analyse and use the information collated to inform our broader (audit, policy and enforcement) activities. We will update our website with details of any action we are taking.
• Once you click ‘submit’ at the end of the form, the information you have provided will be forwarded to us.
• We will not respond to you individually as a result of the information you provide on the form.
• To ensure we have enough information about a website’s use of cookies, you will need to answer all of the questions in full. Please do not leave part way through answering these questions.

This raises the very interesting question of the ICO’s future complaints enforcement strategy.

May it be tempted to extend the range of issues on which individuals can be invited to register concerns, rather than complaints? And might this move make it easier for the ICO to report ever better stats on resolving complaints quickly (as, presumably, there could be fewer of them)? After all, you can give yourself an awful lot of flexibility over what action to take when you just invite expressions of concern.

Let’s see what happens.

UPDATE: 21 August:

The following link reports that the ICO has disputed the report published by pcpro. The ICO has said that it has reviewed the 331 responses collected from its online cookie concern reporting tool, and its next step is to write to all of the websites highlighted.

It said: “It should be noted that a significant number of the responses do not provide any intelligence that can be analysed, while a proportion also highlight websites that rely on implied consent, which is in line with the EU law.

“A progress update, including a list of all the websites contacted, will be published on our website in November, six months after the cookie concern reporting tool was established.”

If you want to register a cookie concern, rather than make a cookie complaint, use