ICO Enforcement Action On The New Cookie Law

The Information Commissioner’s Office (ICO) has now released further details of what it has been doing to enforce the new cookies laws that became law in May this year. We digest what the ICO has said.

A missed opportunity?

The ICO are not giving much away.

Outside cases where no attempt to comply has been made, they have not published any details (even at a high level) of the things people have been pulled up for.

This position is frustrating to say the least.

A lot of organisations are rightly after a practical steer (over and above the ICO’s existing guidance) as to what they should be doing; in particular:

  • Whether the kind of pop-ups that have proliferated around the internet are really required (the ICO guidance encourages them, but allows for other options).
  • How specific a cookie policy should be. For sites that carry a lot of cookies, transparency can involve quite a lot of detail, details in which many consumers may not be interested.
  • Whether the International Chamber of Commerce’s suggested approach to cookies is sufficient.
  • What kind of opt-out mechanisms the ICO want to see, if any, over and above turning cookies off in a web-browser or using third party tools such as Ghostery.

This approach may be a deliberate ploy on the ICO’s part to respect the confidentiality of the organisations to which it has written. That said, it would have been perfectly possible to give some indications of the causes of enforcement action, without being specific in individual cases.

We can only hope the ICO rectify this oversight in due course.

So what has the ICO actually said?

  • The ICO has written to 154 organisations to date, to pull them up on their approach to the new cookies law.
  • It has received 388 complaints about 207 websites, which is not insignificant but still relatively low by comparison to other areas of regulatory oversight.
  • The rate of response emphasises the lack of consumer understanding around cookies in the ICO’s view. As a result, their focus is on encouraging full transparency over cookies.
  • It checks all the websites about which it receives a complaint. Of the 207 sites complained about, only 43% had actually “taken steps to make users aware cookies are in use and obtain consent”. There is therefore a relatively high rate of limited or no compliance.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.