Cookie Law Update from the ICO

I took part in a cookie law event this week hosted by the Department of Culture, Media and Sport.  The DCMS being the government department responsible for this particular law.

It was largely designed as a Q&A session for site owners, but there were also keynote addresses by the minister Ed Vaizey MP and the Information Commissioner himself, Christopher Graham.

The latter being the man responsible for enforcing the cookie law from May 26, there were lots of people there eager to hear him talk, and what he had to say is very much worth reporting on.

First off there was some good news.  Both the Commissioner and Ed Vaizey were keen to point out that they were not interested in bringing the UK’s vibrant web economy to a grinding halt.  The ICO intends to take a balanced approach to enforcement, weighing up the interests of individual privacy with the needs of businesses to continue to profit from the web.

Considering that the UK has the largest proportion of GDP attributed to the digital economy of any G20 country – this was great to hear.

Chris also re-iterated a point made in the guidlines published back in November about web analytics.  Although analytics are not exempt from the need to gain consent, they are low down on the priority list when it comes to enforcement.

Which we take to mean that if you are gaining consent for your more intrusive activity, and telling people about your analytics activity, then it will probably be OK to keep collecting information about what pages your visitors are looking at – at least for the short term.

There was also a lot of discussion about the meaning and compliance status of ‘implied consent’, especially in light of the recent high profile change to the bt.com website which relies very much on this approach.

On this issue we mostly heard a re-inforcement of the message from November – that it might be OK if done well.  However we also got a promise of further clarification on its ‘acceptibility’ as a compliance strategy in May.

I think most people would have liked that clarification to come earlier but we shall just have to wait and see on that front.  What was very interesting was that there was no comment forthcoming about what BT had done, yet.

Alongside all of this however, there were also some clear words of warning.  The Commissioner talked about being in the ’11th hour’ of the grace period, and made it very clear that those site owners that continue to adopt a ‘wait and see what happens’ policy, are running a much higher risk of enforcement than anyone else.

There was also an indication of a hardening of the approach the ICO will take on one aspect of enforcement.  We had much stronger indications of a ‘proactive’ enforcement of the law, rather than the more purely ‘reactive’ message that had been given out before.

The ICO is not going to sit around merely responding to complaints from the public, but will take action on their own initiative when they see sites doing nothing to comply.  Of course they won’t be chasing everybody but they will certainly be looking at high profile, high traffic sites that appear to be doing nothing.

I think this change in emphasis has come from a certain frustration that there has not been enough visible activity from websites in the last year to become compliant.  It was again made clear however that actions taken will be proportionate, and the important thing is not to worry about perfect compliance on day one – but to start moving towards compliance now.

The main message I think is clear.  Come May 26th, if you are the lowest hanging fruit on the tree, you will be an easy target.  The time for doing nothing about this law is at an end.