The Information Commissioner’s Office (ICO) has now released further details of what it has been doing to enforce the new cookies laws that became law in May this year. We digest what the ICO has said.
A missed opportunity?
The ICO are not giving much away.
Outside cases where no attempt to comply has been made, they have not published any details (even at a high level) of the things people have been pulled up for.
This position is frustrating to say the least.
A lot of organisations are rightly after a practical steer (over and above the ICO’s existing guidance) as to what they should be doing; in particular:
- Whether the kind of pop-ups that have proliferated around the internet are really required (the ICO guidance encourages them, but allows for other options).
- Whether the International Chamber of Commerce’s suggested approach to cookies is sufficient.
- What kind of opt-out mechanisms the ICO want to see, if any, over and above turning cookies off in a web-browser or using third party tools such as Ghostery.
This approach may be a deliberate ploy on the ICO’s part to respect the confidentiality of the organisations to which it has written. That said, it would have been perfectly possible to give some indications of the causes of enforcement action, without being specific in individual cases.
We can only hope the ICO rectify this oversight in due course.
So what has the ICO actually said?
- The ICO has written to 154 organisations to date, to pull them up on their approach to the new cookies law.
- It has received 388 complaints about 207 websites, which is not insignificant but still relatively low by comparison to other areas of regulatory oversight.
- The rate of response emphasises the lack of consumer understanding around cookies in the ICO’s view. As a result, their focus is on encouraging full transparency over cookies.
- It checks all the websites about which it receives a complaint. Of the 207 sites complained about, only 43% had actually “taken steps to make users aware cookies are in use and obtain consent”. There is therefore a relatively high rate of limited or no compliance.