ICO on new Cookie Law: 'Don't expect torrent of enforcement action'
Plans to wait for user complaints as the law comes into effect
Amid criticism that hardly any UK government websites comply with the new EU-mandated "Cookie Law" that comes into force on 27 May, the ICO has announced that it will be sending out some letters, and then waiting for people to complain.
The ICO will send out 50 letters to the UK's biggest websites over the next few days, its deputy commissioner, David Smith, has announced. At a press conference this morning, Smith said the ICO planned to ask the sites to show that they are asking users' consent for any cookies the websites are using to track their behaviour.
After that, the ICO will wait for users to complain about cookies on particular sites before investigating individual organisations for breaching the data protection law.
Cookie Law crunches into force
The Cookie Law officially came into force last year as part of the EU Privacy Act, but the UK allowed a year-long grace period during which the law was not actually enforced in order for businesses to work towards complying with it. However the measures announced today by the ICO seem to suggest that enforcement will be reactive and based on user complaints.
The end of the safe period "doesn't mean the ICO is going to launch a torrent of enforcement action" said the deputy commissioner and it would take serious breaches of data protection that caused "significant distress" to attract the maximum £0.5m non-compliance fine.
The 50 UK sites that the ICO is targeting will be ones that have the most unique users or are particularly well-known, the deputy commissioner said, and that may include government department sites. Government websites came in for a slating when it was found that many of them did not comply with the cookie legislation that the government is trying to bring in.
What organisations need to do
Companies didn't need to hire in consultants, said the ICO's David Evans, liaison manager for business and industry, but they did need to demonstrate awareness of the laws and some kind of action plan.
We don't expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.
The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about they're going to inform users.
Evans stressed that consumers would have to be informed in an unambiguous, clear way – so no small print legalese jammed at the bottom of a webpage. Websites would also have to take account of who their users are when drafting the notices: "Different websites have different demographics and that means that they have to explain cookies differently," said Evans.
Asked whether the ICO thought users knew enough to be able to consent to cookie agreements, Evans said: "We're not asking that user education has to give everyone a masters in computer science." He added that the legal definition of consent did not ask for proof that users understood what they were doing.
But the ICO will consider that websites will be responsible for all cookies on their site: even if the cookies come from third parties – for example from adverts provided by an advertising service. Sites that host advertising need to talk to their advertisers about what cookies the advertisers are serving up and then pass that information onto users.
"It's a complicated chain, I know," said the deputy commissioner, saying that they were in talks with advertising bodies about standards.
And the organisations that don't need to do anything
The businesses that are exempted from having to comply with the Cookie Law include search engines and social networks – most notably Facebook and Google – which are not based in the UK, as they do not fall under the ICO or EU remit.
The deputy commissioner said that the law would not affect offshore companies who had no physical presence in the UK.
And then things could get messy across the EU as well: All EU countries have to meet the same legal requirements – the Cookie Law is EU-wide – but with different enforcement bodies in different countries, they could all enforce it in different ways.
We have to work with our EU colleagues and the Do Not Track movement in the States, but at the moment we're focusing on UK sites.