ICO Guidance on Cookie Law Fines

The Information Commissioners Office (ICO) is responsible for enforcing the new cookie legislation in the UK, which it has promised to start doing from May 2012.

They are currently in a public consultation on their guidance for the issuing of ‘monetary penalties’ – fines to you and me, as part of their powers.

We have been reading the draft version, which can be found here.  The ICO was given new powers as part of the new cookie legislation, including the abililty to serve up fines of up to half a million pounds.  The aim of their guidance is to set out the circumstances in which they intend to use these powers, and the processes they will follow.

It seems quite soft touch in many ways.  Fines will only be imposed for ‘serious‘ breaches, and where there has been ‘substantial damage..[or]..distress‘ – where ‘damage’ largely means financial loss.

It also promises that fines will be both ‘proportionate’ and affordable – so they are not looking to put people out of business – but motivate them to comply with the law.

Is this the right approach?  There are lots of big businesses that are against this law, and whose revenues could be severely at risk if a hard line were to be taken.  So a soft touch approach would be welcome for them.

On the other hand, you have to ask that if you bring out a new law, but don’t give it any teeth, who is most likely to suffer? 

The answer in this case could end up being the businesses that comply, and lose customer data, and therefore competitive positioning against their rivals.

There is a very interesting line however which concerns how the ICO will calculate the level of a fine imposed once a decision to do so has been made.  This says that the amount of the fine should ‘eliminate any financial gain or benefit from non-compliance‘.

So there could be a route here whereby compliant companies might make a case that their non-compliant competitor is benefitting unfairly, and that the ICO should therefore take action to level the playing field.

Only time will tell if such a strategy could be successfully pursued.  However, the truth is that the amount of money to be made by gathering user data through cookies, is far greater than the maximum fine that can be imposed.

So what would happen to a company that says even if they had to pay half a million pounds every month, it would still do so rather than lose the data their tracking cookies are gathering?

What would the ICO be able to do then?  Maybe nothing, but at the very least it may help to reduce the budget deficit a little bit quicker!