In 2012, “the cookie law” was implemented in the UK (it was actually a year earlier, but UK organisations were given a year’s grace period). I put in a ‘Freedom of Information’ request to the Information Commissioner’s office to see how they’re currently enforcing the law. Ashley Duffy (Lead Information Access Officer at the ICO) very kindly responded.
This post has a little bit of preamble, the numbers on how many ‘concerns’ have been raised about cookies by members of the public, detail on how the ICO has generally responded, and a summary.
The law essentially says you must tell your users prominently if your site is using cookies. Of course, by 2012 when the law began being enforced, almost every site on the web was using cookies, and therefore this meant every business in the UK rushed to do something to try and understand their requirements and comply with this new law. The Information Commissioner’s Office (who are responsible for policing this in the UK) flipped & flopped a little bit on what was acceptable for sites to do to gain consent that their visitors were happy to be tracked via cookies, but eventually agreed that ‘implied’ consent was a valid way for sites to achieve this. This is the approach that virtually every UK site now follows.
Here’s the ICO’s bullet-point guidance on what ‘implied consent’ means:
Some sites choose to take that to mean “we have to place a strip across the top of the site telling everyone”, some read it as “we just have to have a link in the footer that says “cookies”, etc. In summary though – it means almost without exception, sites in the UK place cookies without the user taking a specific ‘explicit’ action to say they’re happy with that. In other countries this is much harsher – for example in France many sites avoid placing any cookies until the user has either accepted, or clicked/scrolled on a page.
Enforcement: The Numbers
The Information Commissioner’s office very kindly replied to a Freedom of Information request I put in, asking for a breakdown of complaints & their response so far. They publish much of this info on their website, but it’s a tiny bit out of date & missing one or two answers. Here is the number of complaints (they refer to a complaint as a ‘concern’) that have been expressed to the Information Commissioner’s office, broken down over the last few years:
In other words, there have been a total of 1,023 ‘concerns’ raised by members of the public in the time since the law began being enforced. The number has dropped over time, with more than 50% of all complaints happening in the first 6 months after enforcement began, and only 7% of complaints in the last 6 months.
As context, the ICO received 47,465 ‘concerns’ about unwanted marketing communications between April & June 2014. In other words – if you’ve been doing the maths there, you’ll have noticed these 2 key stats:
- Between July & September there was roughly only 1 complaint every 3 days.
- Between April & June (all being equal) – it was 1,249x more likely for a company to be complained about as a result of marketing communications than as a result of improperly informing users about cookies.
The ICO Response
The ICO give a good level of detail breaking down the above ‘concerns’ and their response:
- Among the 1,023 complaints, there were 52 sites which were complained about more than once.
- Following the 1,023 complaints since the ‘cookie law’ rolled out, the ICO say they have written to 275 organisations “where a complaint has been received about a website”. Absolutely no formal action has been taken (ie. no prosecution, fine, etc).
- “27 larger sites have been investigated. We have prioritised those sites that are most-frequently visited by UK individuals (sites ranked within the top 200 most-visited in the UK). We have rated these sites as red, amber or green depending on the steps taken towards compliance. Currently all of these sites fall within the green category.”
The red/amber/green categories are as follows:
- Red: The site hasn’t taken any steps to comply.
- Amber: The site has taken some steps, but the ICO consider it ‘non-compliant’.
- Green: “Significant steps taken to make users aware cookies are in use and obtain consent.”
Here’s a chart directly from the ICO showing the history of their classification for websites they’ve investigated. These are the group within their priority ‘top 200 most-visited in the UK’ about whom they’ve had complaints & have investigated:
As you can see, only one site among those has ever been in the red bracket, and all have moved into the “significant steps taken to make users aware cookies are in use and obtain consent” bucket. Ie: It looks like nobody’s ever been in any real trouble with the ICO in relation to cookies. I clarified this by asking for the number of sites prosecuted, or where other action was taken against a site for the non-compliance of the cookie law, to which the response was:
“We have not had to take any formal action to date, instead we have used informal methods to secure compliance such as through correspondence and compliance meetings.”
That is the key line in this post really: nobody has been charged with anything in the UK, nobody has been fined, the ICO has simply worked with them to get them to a state where they’re happy that users have given ‘implied consent’ that they’re happy for sites to set cookies.
In summary, and in answer to the question in the headline:
- Yes, the “cookie law” is being enforced.
- It is most definitely not a high priority within the Information Commissioner’s Office. (they do not have a single member of full time staff assigned to it, for example)
- ‘Enforcement’ so far has simply meant: take complaints from the public, prioritise them based on the scale of reach of the site concerned, contact organisations to ask them to take steps toward compliance, check whether they have done that.
Based on the extremely low number of complaints they’ve received, I’d say the ICO are doing a really good job of matching the response to the actual level of interest from the public: the general public does not seem fussed about this issue at all (for better or worse), or they are broadly happy with the way it’s presented by sites.
Finally, with the obvious caveats that the ICO could change their policies if they wish, and that I am not offering legal advice:
- From a business perspective: if you’re not among the 200 most visited sites in the UK, it seems you’re likely to be lower priority from the ICO’s point of view.
- Even among the top most visited sites, as long as you’ve taken steps toward compliance & you’re willing to cooperate and take more, you are likely (literally) to be able to achieve a green light.