Is the Cookie Law Being Enforced in the UK?

In 2012, “the cookie law” was implemented in the UK (it was actually a year earlier, but UK organisations were given a year’s grace period). I put in a ‘Freedom of Information’ request to the Information Commissioner’s office to see how they’re currently enforcing the law. Ashley Duffy (Lead Information Access Officer at the ICO) very kindly responded.

This post has a little bit of preamble, the numbers on how many ‘concerns’ have been raised about cookies by members of the public, detail on how the ICO has generally responded, and a summary.

Cookie Law?

The law essentially says you must tell your users prominently if your site is using cookies. Of course, by 2012 when the law began being enforced, almost every site on the web was using cookies, and therefore this meant every business in the UK rushed to do something to try and understand their requirements and comply with this new law. The Information Commissioner’s Office (who are responsible for policing this in the UK) flipped & flopped a little bit on what was acceptable for sites to do to gain consent that their visitors were happy to be tracked via cookies, but eventually agreed that ‘implied’ consent was a valid way for sites to achieve this. This is the approach that virtually every UK site now follows.

Here’s the ICO’s bullet-point guidance on what ‘implied consent’ means:

Some sites choose to take that to mean “we have to place a strip across the top of the site telling everyone”, some read it as “we just have to have a link in the footer that says “cookies”, etc. In summary though – it means almost without exception, sites in the UK place cookies without the user taking a specific ‘explicit’ action to say they’re happy with that. In other countries this is much harsher – for example in France many sites avoid placing any cookies until the user has either accepted, or clicked/scrolled on a page.

Enforcement: The Numbers

The Information Commissioner’s office very kindly replied to a Freedom of Information request I put in, asking for a breakdown of complaints & their response so far. They publish much of this info on their website, but it’s a tiny bit out of date & missing one or two answers. Here is the number of complaints (they refer to a complaint as a ‘concern’) that have been expressed to the Information Commissioner’s office, broken down over the last few years:

In other words, there have been a total of 1,023 ‘concerns’ raised by members of the public in the time since the law began being enforced. The number has dropped over time, with more than 50% of all complaints happening in the first 6 months after enforcement began, and only 7% of complaints in the last 6 months.

As context, the ICO received 47,465 ‘concerns’ about unwanted marketing communications between April & June 2014. In other words – if you’ve been doing the maths there, you’ll have noticed these 2 key stats:

  • Between July & September there was roughly only 1 complaint every 3 days.
  • Between April & June (all being equal) – it  was 1,249x more likely for a company to be complained about as a result of marketing communications than as a result of improperly informing users about cookies.

The ICO Response

The ICO give a good level of detail breaking down the above ‘concerns’ and their response:

  • Among the 1,023 complaints, there were 52 sites which were complained about more than once.
  • Following the 1,023 complaints since the ‘cookie law’ rolled out, the ICO say they have written to 275 organisations “where a complaint has been received about a website”. Absolutely no formal action has been taken (ie. no prosecution, fine, etc).
  • “27 larger sites have been investigated. We have prioritised those sites that are most-frequently visited by UK individuals (sites ranked within the top 200 most-visited in the UK). We have rated these sites as red, amber or green depending on the steps taken towards compliance. Currently all of these sites fall within the green category.”

The red/amber/green categories are as follows:

  • Red: The site hasn’t taken any steps to comply.
  • Amber: The site has taken some steps, but the ICO consider it ‘non-compliant’.
  • Green: “Significant steps taken to make users aware cookies are in use and obtain consent.”

Here’s a chart directly from the ICO showing the history of their classification for websites they’ve investigated. These are the group within their priority ‘top 200 most-visited in the UK’ about whom they’ve had complaints & have investigated:

As you can see, only one site among those has ever been in the red bracket, and all have moved into the “significant steps taken to make users aware cookies are in use and obtain consent” bucket. Ie: It looks like nobody’s ever been in any real trouble with the ICO in relation to cookies. I clarified this by asking for the number of sites prosecuted, or  where other action was taken against a site for the non-compliance of the cookie law, to which the response was:

“We have not had to take any formal action to date, instead we have used informal methods to secure compliance such as through correspondence and compliance meetings.”

That is the key line in this post really: nobody has been charged with anything in the UK, nobody has been fined, the ICO has simply worked with them to get them to a state where they’re happy that users have given ‘implied consent’ that they’re happy for sites to set cookies.

Summary:

In summary, and in answer to the question in the headline:

  • Yes, the “cookie law” is being enforced.
  • It is most definitely not a high priority within the Information Commissioner’s Office. (they do not have a single member of full time staff assigned to it, for example)
  • ‘Enforcement’ so far has simply meant: take complaints from the public, prioritise them based on the scale of reach of the site concerned, contact organisations to ask them to take steps toward compliance, check whether they have done that.

Based on the extremely low number of complaints they’ve received, I’d say the ICO are doing a really good job of matching the response to the actual level of interest from the public: the general public does not seem fussed about this issue at all (for better or worse), or they are broadly happy with the way it’s presented by sites.

Finally, with the obvious caveats that the ICO could change their policies if they wish, and that I am not offering legal advice:

  • From a business perspective: if you’re not among the 200 most visited sites in the UK, it seems you’re likely to be lower priority from the ICO’s point of view.
  • Even among the top most visited sites, as long as you’ve taken steps toward compliance & you’re willing to cooperate and take more, you are likely (literally) to be able to achieve a green light.

15 Replies to “Is the Cookie Law Being Enforced in the UK?”

  1. I’m not sure why you felt a need to put in an FOI as ICO has publicly listed all of the information every quarter. I have been recording all of the information in blog posts each quarter for when ICO overwrites it on their main page.

    The real story, IMHO, lies behind the numbers. For their 2012 annual report, ICO released a list of organisations reported to them for cookie law violations. This list tells the story. These are not internet giants, social networking sites, or data harvesters. These are small businesses, small businesses’ competitors, and small businesses that someone had a problem with. There are also politicians and public sector organisations (George Osborne, Nick Clegg, Councils). The implication is clear: the cookie law was being misused as a griping mechanism by people with a complaint, an axe, or a dispute.

    That suspicion was borne out by a 2013 FOI in which the requester learned that only 18 web sites reported for alleged cookie law violations in 2013 were reported by more than one person. In other words, over 90% of reported sites were single reports.

    It is telling that ICO did not bother releasing a list for 2013, as they did in 2012, of which sites were reported to them. There was simply no point. Their Q2 report for 2014 was the second quarter in a row where they felt a need to state that “Many of the concerns received about cookies did not relate to individual sites or provide specific information about non-compliance.” In other words, people are sending in rants about privacy or businesses without bothering to name what site it is they are ranting about. Even ICO are fed up now with the abuse of the cookie law as a high horse.

    To date there has been only one cookie law fine, in Spain, for a token fee. The court admitted that there was no actual privacy violation; the case hinged on a failure to tick a particular box in Spain’s very strict DPA. This would never happen in the UK, where ICO has stated it is not interested in persecuting small businesses over silly hair-splitting.

    The real story about the cookie law in the UK, then, is not about privacy, data protection, or consumer choice. It has been about the abuse and misuse of the law by people with an agenda. The only people who continue to defend the cookie law are those who have a financial interest in doing so. As for privacy, as we know now, we never had it all along. I spoke more about that vis-a-vis the cookie law here.

    1. hi, Heather, how are you? Thanks a lot for the comment. Thanks for the links to all your content too – I had a look at the video & enjoyed it. You should publish little regular videos if you don’t already – I would definitely watch.

      Your question: “I’m not sure why you felt a need to put in an FOI as ICO has publicly listed all of the information every quarter.” – I actually answer that & link to their updates URL directly in the post: “They publish much of this info on their website, but it’s a tiny bit out of date & missing one or two answers.” – you’ll see they have not yet updated for last quarter, meaning it’s 4 months out of date at the time of writing.

      I agree with pretty much all of your complaints. It feels as though the ICO may have actually taken that into account & their policies seem to basically adjust for it – for example prioritising high traffic sites to weed out the ‘axe to grind’ local business & political stuff. Would you agree?

      What do you think should actually happen re the ‘cookie law’ in a broader sense?

      Thanks,

      dan

    2. Heather – good reply – I have to say I have similar experience in ASA complaints. Often I have had to respond to a complaint about an advert or web content and in asking for further information from the complainant the level of industry knowledge suggested that a competitor had raised a complaint and I am sure it is common across many industries, The other similarity is that a dissatisfied customer would file a complaint on some T&C issue which would mean hours of time and a great deal of cost and effort (because we were unable to make the customer happy so not saying companies don’t deserve it).

      I have to say implementing the Cookie Law was a fairly substantial piece of work and know that we spent several months of testing on customers to work out the best implementation. The problem I have is now all people are used to clicking the OK button so now visitors to sites are not only being served cookies effectively without their knowledge but have given consent. Any kind of sleep walking consent in my view is wrong, but in my view cookie consent is a offence to good UX and that is why most sites have this half heated approach. It would be better to educate people on what Cookies do and why they are good and how they can be bad. I would suggest that a small part of domain reg fee could go to a group who’s brief would be to educate on the data we give away and the date we should protect.

      In terms of the ICO acting on these rules it tends to be my experience that certainly within the regulated industries the relevant regulator will use the cookie law as another item that a company must be compliant on. The problem is the really nasty sites that sell and do all sorts with data are not going to care so it is a law that whilst I agree with the reasoning but just don’t feel it serves any purpose.

      Sam

      1. It turns out to be the same case in many copyright takedown requests as well – competitors abusing due process for their own interest. There have actually been interesting experiments done where takedown requests were submitted for public domain content written in the 1800s and the recipient has taken it down without a fight.

        I think we should give ICO credit where credit is due for acknowledging that cookies are small potatoes in the public’s eye as well as their own. They could have easily chosen to act as Spain and the Netherlands did. Fortunately there is no public appetite here in the UK, especially not from government, to subject small businesses to endless regulation for its own sake. That can always change in future if a less business-friendly government comes in.

  2. I pretty much covered this in two earlier posts, post one and post two. The key issue there is the tendency of regulators to confuse mechanism with intent. There is a cookie = all cookies are bad! = regulate all cookies. Which was then revised to some cookies are bad = regulate some cookies = just remember that other countries still regulate all cookies.

    All of that was written pre-Snowden, of course. Oh those heady, naive days of 2012. There is absolutely no point in ICO doing anything as long as the sea cables are tapped, literally and figuratively.

    Without meaning to sound right-wing, there needs to be a move towards greater awareness of one’s personal responsibility in ensuring online privacy. I use the Disconnect browser extension and there are times where you sit there watching the little green number race to 99+ within seconds of loading a single web page. Instead of turning a web site into a formal complaint process with a government bureaucracy, just kill the problem at source. If you have taken responsible steps towards your own privacy, you have a more authentic case to make to a regulator when your privacy truly is violated.

    What’s next in my mind is the issue of tracking cookies and beacons in apps, which is a blog post on my “Things To Write” list…

    1. I equate it to walking into a shop and demanding that they turn the camera off, going to the till swiping your loyalty card and being horrified that the data the shop gains on you they keep!

  3. First off, I do represent a business that helps companies comply with the law – not just in the UK but across the EU. So I do have a financial interest, as Heather well knows, but I also believe that the law does have value for consumer privacy protection. It is by no means perfect, or a complete solution, but it does have a place.

    I want to pick up on your characterisation of what Implied Consent is, as you have missed out what I think are pertinent parts of the ICO’s guidance on this You are not alone in that – but what gets missed out has led to a lot of misunderstanding and misinformation in my view. As a responsible blogger I am sure you do not want to perpetuate those mistakes.

    On Pg10 of their guidance the ICO states that key to implied consent is the ability for the user to make choices: “it must always be possible for the user to decline to accept cookies even if it means a site’s functionality is limited for the user as a result”

    At a practical level, this means to me that implied consent can only be valid, if there is an opportunity to choose not to have cookies set. This is the element that you will find missing on the majority of sites – and why actually many are not ‘compliant’. They provide information, but not the ability to choose not to have cookies.

    Now, you might also say that people can choose not to have cookies by stricter browser settings. The law allows for the possibility of this, which is why many sites will point out how to change your browser settings. However, the ICO guidance also notes very clearly that ‘For now relying solely on browser settings will not be sufficient..’ (Pg14)

    So if you take this into account, it seems clear that the ICO is not enforcing the law to full their capacity, according to their own guidance. Otherwise sites that just provide information, but no choice could not be judged by them to be sufficiently compliant. I think in stating that this issue is a low priority for them, they are implicitly admitting that they are not enforcing their own guidance.

    I actually don’t have a big problem with that. My view however is that fear of enforcement should not be the only reason to comply with any law. For example, many types of insurance can be invalidated by not complying with legal requirements, regardless of whether or not some regulator is going to take action. That represents a risk for many companies.

    We are also in an environment of rapidly changing consumer privacy expectations. Whilst we haven’t seen it in a big way yet, I suggest that this could have an impact on this issue before too long – and that probably creates the biggest risk for most companies. As people get fed up with tracking without choice – they will take their own actions that take control away from website owners – and that will ultimately leave them worse off than if they provide choices for people now.

    1. hi, Richard, this more or less fits the pattern Heather mentioned I think: the people who seem to champion the cookie law & urge the ICO to get heavier on it seem to be those who would financially benefit from it.

      I agree that ‘choice’ is generally a good thing but, based on the amount of money businesses have spent on this, and the utterly tiny trickle of ‘concerns’ raised (inc a few, as Heather mentions, apparently based on self-interest) it appears that this ‘choice’ is not one the vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast, vast majority of the public has any real interest in.

      Would you disagree? I’d love to be convinced otherwise.

      dan

      1. I don’t think there is a case for more enforcement, maybe tighter regulation around the use and storage of data for those less than reputable sites but as most of sites are dependent on THE search engine and the few but dominant ad networks erc the internet tends to govern itself. The cookie law whilst well intentioned only serves to confuse those who already have concerns over online data etc and for the rest its one more click until they can get on with whatever they came on line to do. I can tell you from the point of view of someone who worked though the change on a major household name’s site it was a lot of work, money and overall one more barrier to customers.

      2. I would say there is growing evidence that consumers believe that companies hold too much information about them, and that ubiquitous tracking is seen to be more of benefit to business than consumers. That is they recognise the value exchange in ‘free’ services, but are not convinced it works in their favour.

        I have covered this in blogs:
        http://www.eudataprotectionlaw.com/the-data-trust-deficit/
        http://www.cookielaw.org/blog/2014/5/21/more-consumers-turn-against-online-tracking/

        and a recent suvey from Orange is also relevant I feel:
        http://www.orange.com/en/press/press-releases/press-releases-2014/Consumers-value-their-personal-data-at-170-140-Orange-study-finds

        If people don’t complain more – it could be because they do not think it will have an impact. Instead they are turning to things like Adblockers in ever larger numbers: http://downloads.pagefair.com/reports/adblocking_goes_mainstream_2014_report.pdf

      3. Richard and I have agreed to disagree and I have no problem with him or his business. He’s a lovely guy who has a coffee on me if he’s ever in Glasgow.

        I do believe strongly in online privacy. I remember well having a little tantrum about cookies and privacy. The problem was, that was 1998, when the worst thing that could happen was that DoubleClick tracked which sites you shopped on. The glacial pace of EU legislation – as well as the sheer amount of time it took regulators to notice – meant that by the time they got around to addressing that particular aspect of online privacy, it was yesterday’s news. By that time people were voluntarily relinquishing their own privacy on social media and apps. And by that time, all of our communications were being scanned by a programme the Home Secretary can neither confirm nor deny. Cookies are grains of sand. Right now, the whole damn beach is being hoovered up.

        I do think we are in a rare window of opportunity to have a good think about what online privacy means, how we protect it, who we protect it from, and what mechanisms we use to protect it. That discussion needs to involve everyone – users, developers, bureaucracies, and governments, rather than completely omitting the first two. Here are notes from a debate I attended last week on the matter convened by ORG which included Ed Snowden’s editor at the Guardian.

  4. PS I didn’t actually advocate more enforcement by the ICO. I simply made the point that fear of enforcement is not necessarily the only relevant driver here.

    There are a lot of potential similarities with the issue of web accessibility. Making websites accessible for people with disabilities was once seen as an expensive add-on. Then came the Disability Discrimination Act – and that put a lot of fear into companies of enforcement. They spent a lot of money improving their sites out of that fear. Almost no-one got into trouble in the end – but now, accessibility has become just part of good web development practice.

    Would that have happened to the same extent without the DDA?

  5. First of all, the helpful yet completely spineless ICO…

    I once filed a complaint with them about spam email from an online retailer. Their unsubscribe feature did not work and they did not acknowledge that there was a problem. The ICO responded with the least committed and actionable letter imaginable. They offered no help, they didn’t mention contacting the online retailer and they didn’t change anything. Apart from funding their own salaries through a mandatory £35 annual charge to anyone that wants to store information about their customers…I don’t know what they really do. Much like PPL I can’t help but think that they’re an organisation that exists purely because of crude political thinking rather than any form of public service.

    Secondly, cookie law. Why legislate for anything if you’re not going to effectively police it? This blog post sums up my feelings towards it: http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/.

    Either politicians didn’t understand the concept of a cookie (remember this? http://i.imgur.com/1pXlO.jpg) or someone, somewhere had an agenda to push.

    It’s not about privacy, it’s never been about privacy. If you want to know about your browser’s computers then you query it in PHP/ASP etc and store it against a browser profile maybe using their IP or a subnet. Stick a cookie on there if you want but it’s not really necessary. Or just use a PHP session cookie that’s valid until 2099 and circumvent the entire directive.

  6. Compliance rates still seem to be epicly low. A few notable miscreants include sussex.police.uk, parliament.uk, jobs.nhs.gov and many, many others. Such a pointless law. Where is the same for protection from large scale corporate spying? ¬_¬

Leave a Reply

Your email address will not be published. Required fields are marked *