I am extremely grateful to the mighty Eduardo Ursturan (he of
Field Fisher Waterhouse fame) for pointing out that last December, on or around
the last working day before most people started their Christmas holidays, ICO
had quietly published a report
detailing the concerns reported to them, the current picture and the action
they are taking in relation to the cookie consent requirements.
If it were
not for Eduardo’s eagle eyes, I would probably not have known about it for
ages.
- Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.
- Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.
- The ICO is continuing to write to websites they receive concerns about.
- The ICO has also looked at the types of cookie in use.
- The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.
- Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies.
- If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with the criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties.
Eduardo
also comments: “This is the clearest threat of enforcement action to
date!”
No. I disagree with that last remark.
If the
ICO’s enforcement team were to make any general threats of enforcement action,
you might have thought that it would have tipped off the ICO’s press team, in
order that a more public announcement could have been made. But has a general
press release been issued? Is there any announcement on the front page of the
ICO’s website? Can the report be accessed from a link that is easy to find?
Well, you
try and find it.
Actually,
to navigate to the report, you really do have to know that it exists in the
first place. Casual visitors to the ICO’s website are almost certainly not
going to visit their home page, click on the “Enforcement” link, then click on
“What action is the ICO taking”, then click on “Cookies”, then scroll down almost
to the end of quite a long page, before reading: “ We have produced areport detailing the concerns reported to us, the current picture and the action we are taking as of December 2012.”
Having commented on how hard it is to find, I must
congratulate the report’s authors for providing some useful examples of how it
is possible to comply with the relevant requirements. Each example seeks
consent through a banner on entry to the website. Even if consumers evidently: “are unhappy with implied consent
mechanisms, especially where cookies are placed immediately on entry to the
site”, the ICO’s enforcement team does appear to be comfortable with that
practice – well, as far as the “essential” ones are concerned, anyway.
Is this really the ICO’s clearest threat of enforcement action to date?
If it is,
then I’m a banana.
When you
have to click through to such a deep part of the ICO’s website to find any
mention of the report, I think the real message that the ICO is sending is that
the enforcement team has higher priorities than enforcing the cookie rules.
And there’s
nothing wrong with that.
Footnote:
Co-incidentally,
at precisely the same time the ICO quietly
published its report, Ireland's Data Protection Commissioner embarked on a
different approach on precisely the same subject. A press release on its website announced that
it had written to some 80 Irish websites, asking them to provide information on
the steps that they have taken to meet the cookie rules. Deputy Commissioner
Gary Davis said: “This is a legal
requirement now for 18 months and we are disappointed with the response of
websites. Levels of compliance would appear to be very low compared to
the UK for instance and we cannot allow that situation to continue.”
Just why the Irish
regulator would have waited 18 months before sending this letter, giving the
websites only 3 weeks to reply, 2 weeks of which fell over the Christmas and
New Year holiday period, is not at all clear.
Will this strategy will be any
more effective than the ICO’s “show and tell” approach? Only time will tell.
Oh, and yes, some of the
websites targeted by the Irish regulator are operated by international
businesses, whose British subsidiaries already appear to have achieved a high
level of compliance with the cookie rules.
Sources: