With the EU e-Privacy Directive's compliance 'deadline' just a month away, many businesses are wondering not only what they should do about it, but also how the law will be enforced by the ICO.
While working on our EU cookie law guide, I spoke to Dave Evans, Group Manager for Business & Industry at the Information Commissioner's Office (ICO).
I asked how actively the law would be enforced, the likely penalties for non-compliance, and whether implied consent solutions would be acceptable.
What was the thinking behind the EU e-Privacy Directive?
It’s important to remember that the cookies rule is just part of a law aimed at safeguarding privacy online and protected web users from unwanted marketing. There have been growing concerns over the past few years, and the directive sought to address those.
Organisations providing content are obtaining information about users and people have started to become more aware of the sophisticated techniques being used for internet marketing. The 2003 directive wasn’t doing enough to deal with this.
Organisations that collect information need to obtain people’s agreement, and you have to tell them what you want to do with it.
So the aim is to protect user privacy, and ensure that they are giving informed consent for using their information.
Once this directive had been passed, we wrote to the UK government and pointed out that, the way it was worded, consent for cookies is not so straightforward.
Legislators left it broad, and there was no steering on cookie issues. Exemptions for strictly necessary cookies were not drawn widely enough.
Have you attempted to find a balance between business needs and the law?
This was one of the first things we thought about. We’re here to educate and to promote good practice. If all we did was to slap fines on people, we wouldn’t be doing our job properly.
We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action.
There is a balance to be struck though, as not all cookies are equal, and our enforcement approach will bear this in mind.
For example, someone may complain about a cookie placed without their consent, but if it was just used to remember essential details rather than to gather information to be used for marketing purposes, then it may not be appropriate to act.
The first question we will ask is: have you tried to sort this out yourself? If they don’t want a particular cookie, then they could use browser settings or security software to get rid of it.
It’s highly unlikely that organisations will get into trouble because of one cookie or just a few complaints, but we would seek to address any potential issues with the company concerned.
In these situations we would be more likely to provide advice to the organisation. It is unlikely (though not impossible) that we would take action just for analytics cookies.
Will 'implied consent' solutions be enough in some cases?
The law does allow us some leeway, and if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent.
Just because analytics cookies are caught by this law doesn’t mean a strict opt-in is necessary. It could, in some cases, be seen as an essential part of the relationship.
Organisations can help themselves by informing people and providing decent information about cookies. For the last eight years or more, this has been hidden away in privacy policies which only a minority of internet users ever read.
Therefore, can you be confident that your users know about cookies? In the medium to long-term, if lots of websites are more transparent about cookies and privacy, then users will become more informed and it will be easier to assume knowledge.
If we can operate on the basis that, since a website has made efforts to inform customers, and through this collective education process, people understand how and why online businesses are using their data, a website could claim with some justification that since we made it clear, and they are still using our website, opt-on consent may not be necessary.
It will take time to get to the point where most web users are aware of this, but this clarity of information may fill that gap for some websites. It may eventually become an implicit part of the relationship that websites gather and use analytics data.
For example, they could say, well we have given this information, and we’re in the process of looking at consent models.
We’re not there yet, and much will depend on the collective efforts of websites. Some will go down a stronger route than implied consent.
However, if companies aren’t making this information visible, then they are taking a risk.
On the other hand, it we received a complaint, then go to the website, and it’s difficult for us to say that the user hasn’t seen this, then have to judge such a complaint on the balance of probabilities.
If it looks like an organisation has put enough information there, and it is clearly visible, such that it wouldn’t be likely that users would miss it, then it’s unlikely we would take that further.
What about examples like BT's slider tool for opting out of cookies? Would this be enough to comply?
It looks perfectly fine, though I’ll hold back on passing judgement as it has only just been rolled out. We know how much time and effort BT has put in though, and we also appreciate that this is beyond the capabilities and resources of some companies.
Will you actively enforce the regulations after May, or wait for complaints?
We have a team of investigators, but we won’t necessarily be trawling the internet looking for abuse of the directive. In time, we may choose to look at particular sectors to see how they are informing users, based on the information we have received.
Enforcement won’t be driven by individual complaints though, and how we deal with this may well depend on the response from business. For example, if someone says, 'we’re not doing anything about this', then we may pay them more attention.
All of our enforcement actions are likely to be in the form of negotiations. If people listen to our advice and are prepared to take steps towards compliance there shouldn’t be a problem,
However, if businesses deliberately stop short of total compliance, then there is a risk.
For us, the issue may be that, if an online business has taken some steps towards compliance, and they don’t 'bother us', then that’s OK. However, if we receive a number of complaints it may be a different story.
How likely it is that complaints will flood in, we don’t know. It may be that the great British public simply isn’t that concerned about cookies.
If users are happy and we receive no complaints about a website then we have other things to be doing anyway.
If we had an enforcement team dedicated to looking out for abuse of cookie laws, then people would rightly ask questions about the ICO’s priorities.
Will you come up with a definitive answer on what compliance is?
We don’t know what compliance will look like in a year’s time.
There are lots of gaps here, and we want people to fill them with good practice. We can then point to examples of this and everyone will have a greater understanding of what is required.
We hope that this will pick up over the next month or so.
Will you make allowances for the cost in time and resources required to make the changes to websites in order to comply?
We know that not every website can just switch its website off on May 25 and implement changes. We will bear redesign schedules in mind.
There’s no point in rushing through a solution if a revamp is coming soon anyway.