Saturday 5 January 2013

Shhhhh – the ICO issues a silent warning on cookies

I am extremely grateful to the mighty Eduardo Ursturan (he of Field Fisher Waterhouse fame) for pointing out that last December, on or around the last working day before most people started their Christmas holidays, ICO had quietly published a report detailing the concerns reported to them, the current picture and the action they are taking in relation to the cookie consent requirements.

If it were not for Eduardo’s eagle eyes, I would probably not have known about it for ages.

Eduardo explained that the highlights of the report are that:

  • Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.
  • Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.
  • The ICO is continuing to write to websites they receive concerns about.
  • The ICO has also looked at the types of cookie in use.
  • The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.
  •  Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies.
  • If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with the criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties.

Eduardo also comments: “This is the clearest threat of enforcement action to date!”

No.  I disagree with that last remark.

If the ICO’s enforcement team were to make any general threats of enforcement action, you might have thought that it would have tipped off the ICO’s press team, in order that a more public announcement could have been made. But has a general press release been issued? Is there any announcement on the front page of the ICO’s website? Can the report be accessed from a link that is easy to find?

Well, you try and find it.

Actually, to navigate to the report, you really do have to know that it exists in the first place. Casual visitors to the ICO’s website are almost certainly not going to visit their home page, click on the “Enforcement” link, then click on “What action is the ICO taking”, then click on “Cookies”, then scroll down almost to the end of quite a long page, before reading: We have produced areport detailing the concerns reported to us, the current picture and the action we are taking as of December 2012.”

Having commented on how hard it is to find, I must congratulate the report’s authors for providing some useful examples of how it is possible to comply with the relevant requirements. Each example seeks consent through a banner on entry to the website. Even if consumers evidently: “are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site”, the ICO’s enforcement team does appear to be comfortable with that practice – well, as far as the “essential” ones are concerned, anyway.

Is this really the ICO’s clearest threat of enforcement action to date?

If it is, then I’m a banana.

When you have to click through to such a deep part of the ICO’s website to find any mention of the report, I think the real message that the ICO is sending is that the enforcement team has higher priorities than enforcing the cookie rules.

And there’s nothing wrong with that.


Co-incidentally, at precisely the same time the ICO quietly published its report, Ireland's Data Protection Commissioner embarked on a different approach on precisely the same subject.  A press release on its website announced that it had written to some 80 Irish websites, asking them to provide information on the steps that they have taken to meet the cookie rules. Deputy Commissioner Gary Davis said:  “This is a legal requirement now for 18 months and we are disappointed with the response of websites.  Levels of compliance would appear to be very low compared to the UK for instance and we cannot allow that situation to continue.”

Just why the Irish regulator would have waited 18 months before sending this letter, giving the websites only 3 weeks to reply, 2 weeks of which fell over the Christmas and New Year holiday period, is not at all clear. 

Will this strategy will be any more effective than the ICO’s “show and tell” approach? Only time will tell.  

Oh, and yes, some of the websites targeted by the Irish regulator are operated by international businesses, whose British subsidiaries already appear to have achieved a high level of compliance with the cookie rules.