Just before Christmas 2012, the UK data privacy watchdog published a report of the steps it had taken to enforce “new” cookie consent laws first in force May 2011, with examples of acceptable practice. It also recently changed its own site cookie policy. Sue Gold reports
Topic: Online advertising
Who: ICO
When: 18 December 2012
Where: UK
Law stated as at: 31st January
What happened:
The ICO published an Activity Report on the use of cookies on websites to determine compliance following the May 2012 deadline for compliance with consent requirements under the E-Privacy Directive. The report summarises concerns reported to the ICO by individuals in the previous six months and details what action the ICO has taken.
Summary of some of the key findings
- The ICO received 388 reports about the use of cookies on 207 individual websites and 53,000 reports about unwanted marketing communications.
- Consumer concerns included dissatisfaction with implied consent mechanisms, notably where cookies were placed immediately on
- entry to the site and a general lack of information.
- The ICO conducted a “basic visual audit” of the applicable sites and then wrote to 106 sites to inform them of the complaint and asking
- for information on compliance with the new rules.
- One site reported to the ICO had not taken any steps to ensure compliance and the ICO set this site a deadline for compliance.
- No fines to date although the ICO does have the power to fine infringing sites (up to £500,000). The ICO states action will be
- “proportionate to the risk to consumers”.
- The ICO will exercise its formal regulatory powers against organisations that “refuse to take steps to comply” or are involved in “particularly privacy-intrusive use of cookies”.
- ICO focus has been on the 200 most visited websites in the UK. The majority of sites relied on implied consent and the ICO states that for implied consent to work there must be an indirect expression of the user’s agreement to share or allow access to information on the user’s device.
- Where the ICO has concerns and sites are based in another EU location the ICO will share its concerns [5 sites reported to date] with other EU Regulators.
- Consumers’ concerns vary significantly, but two themes are that they:
- are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site;
- have not been given enough information generally and specifically not enough information about how to decline cookies or manage them later.
- A significant number of people also raised concerns about the new rules themselves and the effect on the usability of websites.
Why this matters:
The report indicates that so far there have been relatively few complaints and the ICO will focus on a risk-based approach, looking particularly at sites where no steps have been taken to comply. It is
important to ensure that reasonable steps have been taken (cookies banner and cookies policy). Of more interest is the high number of complaints on unsolicited marketing and increased consumer concern and awareness, so compliance with marketing consent requirements should become a key priority particularly due to potential for high fines.
Other related developments
From February 2013 the ICO is changing its own practices for ‘cookie’ consent and will revert to an implied consent model with a new cookie banner.
ICO fined Tetrus Telecoms £440,000 for sending 840,000 illegal spam marketing texts per day over a 3 year period. ICO received 400 complaints and conducted an 18 month investigation.
A privacy claim is being brought against Google for allegations of secretly tracking on-line usage using cookies for users of Apple’s Safari internet browser.
Dutch and Canadian regulators are investigating WhatsApp (over 300 million users worldwide) for breach of privacy laws by accessing and storing users’ contacts. The ICO is also investigating.