ICO on new Cookie Law: 'Don't expect torrent of enforcement action'

Plans to wait for user complaints as the law comes into effect


Amid criticism that hardly any UK government websites comply with the new EU-mandated "Cookie Law" that comes into force on 27 May, the ICO has announced that it will be sending out some letters, and then waiting for people to complain.

The ICO will send out 50 letters to the UK's biggest websites over the next few days, its deputy commissioner, David Smith, has announced. At a press conference this morning, Smith said the ICO planned to ask the sites to show that they are asking users' consent for any cookies the websites are using to track their behaviour.

After that, the ICO will wait for users to complain about cookies on particular sites before investigating individual organisations for breaching the data protection law.

Cookie Law crunches into force

The Cookie Law officially came into force last year as part of the EU Privacy Act, but the UK allowed a year-long grace period during which the law was not actually enforced in order for businesses to work towards complying with it. However the measures announced today by the ICO seem to suggest that enforcement will be reactive and based on user complaints.

The end of the safe period "doesn't mean the ICO is going to launch a torrent of enforcement action" said the deputy commissioner and it would take serious breaches of data protection that caused "significant distress" to attract the maximum £0.5m non-compliance fine.

The 50 UK sites that the ICO is targeting will be ones that have the most unique users or are particularly well-known, the deputy commissioner said, and that may include government department sites. Government websites came in for a slating when it was found that many of them did not comply with the cookie legislation that the government is trying to bring in.

What organisations need to do

Companies didn't need to hire in consultants, said the ICO's David Evans, liaison manager for business and industry, but they did need to demonstrate awareness of the laws and some kind of action plan.

We don't expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.

The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about they're going to inform users.

Evans stressed that consumers would have to be informed in an unambiguous, clear way – so no small print legalese jammed at the bottom of a webpage. Websites would also have to take account of who their users are when drafting the notices: "Different websites have different demographics and that means that they have to explain cookies differently," said Evans.

Asked whether the ICO thought users knew enough to be able to consent to cookie agreements, Evans said: "We're not asking that user education has to give everyone a masters in computer science." He added that the legal definition of consent did not ask for proof that users understood what they were doing.

But the ICO will consider that websites will be responsible for all cookies on their site: even if the cookies come from third parties – for example from adverts provided by an advertising service. Sites that host advertising need to talk to their advertisers about what cookies the advertisers are serving up and then pass that information onto users.

"It's a complicated chain, I know," said the deputy commissioner, saying that they were in talks with advertising bodies about standards.

And the organisations that don't need to do anything

The businesses that are exempted from having to comply with the Cookie Law include search engines and social networks – most notably Facebook and Google – which are not based in the UK, as they do not fall under the ICO or EU remit.

The deputy commissioner said that the law would not affect offshore companies who had no physical presence in the UK.

And then things could get messy across the EU as well: All EU countries have to meet the same legal requirements – the Cookie Law is EU-wide – but with different enforcement bodies in different countries, they could all enforce it in different ways.

Smith said:

We have to work with our EU colleagues and the Do Not Track movement in the States, but at the moment we're focusing on UK sites.

®

Similar topics


Other stories you might like

  • UK watchdogs ask how they can better regulate algorithms
    We have bad news: you probably can't... but good luck anyway

    UK watchdogs under the banner of the Digital Regulation Cooperation Forum (DRCF) have called for views on the benefits and risks of how sites and apps use algorithms.

    While "algorithm" can be defined as a strict set of rules to be followed by a computer in calculations, the term has become a boogeyman as lawmakers grapple with the revelation that they are involved in every digital service we use today.

    Whether that's which video to watch next on YouTube, which film you might enjoy on Netflix, who turns up in your Twitter feed, search autosuggestions, and what you might like to buy on Amazon – the algorithm governs them all and much more.

    Continue reading
  • UK criminal defense lawyer hadn't patched when ransomware hit
    Brit solicitor fined after admitting it took 5 months to install critical update

    Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

    The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018*.

    The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.

    Continue reading
  • Brit watchdog fines financial services biz £80k for text spam
    Company changed address to avoid probe after sending 378,553 messages

    Britain's data watchdog has issued an £80,000 penalty to a financial advisor that dispatched hundreds of thousands of unsolicited text messages during lockdown.

    H&L Business Consulting, based in Penrith, Cumbria, was found by the Information Commissioner's Office (ICO) to have sent 378,553 texts between January and June 2020, resulting in more than 300 complaints [PDF].

    The spam promoted the debt management scheme devised by UK government as the outbreak of the novel coronavirus morphed into a pandemic. This is despite the fact that H&L Business Consulting was unauthorized by the Financial Conduct Authority to sell regulated financial products or services.

    Continue reading

Biting the hand that feeds IT © 1998–2022