The Information Commissioners Christmas Message On Cookies
Importance: [rating=5]
Recommended link: ICO 18.12.2012 PDF summarising Enforcement action
Our commentary on the new report
Do you remember back to May 2012 - it seems like ancient history now… At the time most site owners were concerned with becoming compliant with what most referred to as the “cookie law” (technically, the 2011 amendment to the Privacy and Electronic Communications Regulation Act).
Many larger companies did respond with the law as we showed in this post reviewing how companies were responding to the law.
On 18th December the UK ICO released a “must read” PDF reviewing their enforcement action. These are the main points site owners need to be aware of as I see them.
- 1. The cookie law is a lower priority for consumers and so the ICO than unwanted marketing communications (mainly junk texts and email spam).
- 2. Between 25 May and 21 November 2012 the ICO received 550 reports about cookies from consumers while there were 53,000 about unwanted marketing communications.
- 3. Consumers’ concerns vary, but two themes the ICO call out are that they:"Are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site or insufficient information has been given information generally, and specifically not enough information about how to decline cookies or manage them later".Many of the 550 complaints were against the rules themselves it seems:
"A significant number of people also raised concerns about the new rules themselves and the effect on the usability of websites"...
This breakdown of complaints suggests that many people were complaining about asking permission to place cookies (bottom chart) although the two charts seem to contradict...
- 4. With limited resources, enforcement activity of the ICO has focused on sites ranked in the 200 most visited in the UK and those about which we received at least one report of concern. You can see the 174 companies the ICO has written to where sites have been reviewed.
- 5. The ICO notes that the majority of sites rely on implied consent and give examples of good practice which are not pop-up based but are static banners:
They remind site owners that it is important that the person seeking consent can satisfy themselves that:
"the user’s actions are both an explicit request for content or services, and an indirect expression of the user’s agreement that the provider may store or access information on the user’s device.
To be confident about this, the provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.
Sites in this category give information about cookies to varying levels of detail; but they may not have phrased it in a way that seeks consent or we may regard it as difficult to find. So these sites could do better, but they often feature clear information about the use of cookies and how to manage them".
Implied cookie consent examples from ICO
So what are the implications? It seems most companies won’t be investigated unless there is a complaint against them and even then no steps will be taken unless they have taken no action, in which case they might be contacted. As we advised previously, site owners should take steps to clarify the information on use of cookies and how to manage them. However it is not clear what companies should do when they are dependent on third-party services like content management systems or Ecommerce platforms that place cookies which they have limited control upon.
The report ends by noting
“Sites that have not taken any steps. It is encouraging that only one site fell into this category, but we are contacting the site to set a deadline for compliance. Failure to comply will result in formal action to ensure compliance, and we may decide to name the site in order to make consumers aware of its use of cookies”.