One of the biggest concerns for online businesses this year has been the EU cookie law.
Six months after the enforcement 'deadline', it seems that the cookie apocalypse hasn't transpired, but the ICO has felt the need to write to 174 companies about their cookie policies.
According to a recent activity update, it has received 550 reports from web users about sites' cookie policies.
Here's a summary of the issue as the ICO currently sees it...
Cookies are a 'low consumer threat'
To put this into context, the ICO received more than 53,000 complaints about unwanted marketing communications, so concerns about cookie policies aren't that high on the agenda.
ICO summarises the complaints as:
- Customers who are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.
- Customers have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.
- It also says that a 'significant number' expressed concerns around how cookie consent affects website usability.
The ICO asked people who reported concerns about the websites:
I'm not sure how, if 462 of the complainents were asked for permission to place cookies, 301 said they hadn't provided information. Perhaps they felt that not enough information was supplied at the point of asking consent.
Moreover, it's puzzling that, despite sites asking permission to place cookies, people still felt it was necessary to complain.
Concerns raised about websites
Between May 26 and September 6, the ICO received 388 'concerns' about 207 websites.
The ICO then looked at these sites before writing to 100 sites asking what steps they were taking to comply.
Since sites like the BBC and Channel 4 have prominent cookie messages, implemented back in May, I think we can assume that they were among the initial 68.
The ICO seems to be satisfied with the actions taken by most popular sites, though some are facing 'further investigation':
We are considering 14 websites for further investigation. In these cases we will contact them to discuss their compliance, and require them to take steps as necessary. We have passed details of five websites to our International team, who have told the relevant European authorities about the concerns we received. We will continue to contact every site we receive a concern about to ensure they know what steps they need to take.
For those popular sites which have done nothing, the ICO will set a deadline for compliance, but fines seem to be a long way off.
Relax, there's nothing to worry about...
The key takeaways as I see them are:
- The level of complaints is very low, and the fact that the ICO hasn't even written to 107 of the websites which were reported suggests that not all complaints were valid.
- Even when sites are 'non-compliant', there is no immediate threat of fines. Companies can effectively 'kick the can down the road' and take action as and when the ICO gets in touch.
- The ICO sees this as a low priority. I spoke to the ICO's Dave Evans a few times earlier this year, and the impression I got was that they had bigger fish to fry.
- Strict consent mechanisms were unnecessary. It seems that implied consent solutions which didn't impact the user experience were the best approach. Sites like Games Workshop, which won't let you into the site without clicking the cookie box have gone too far:
Back in the months before the May 26 deadline, there was much concern about the impact of the cookie law. In a survey we ran in March, marketers expressed concerns, with many unprepared and unsure of the steps they need to take.
At our Digital Cream event last March, the roundtable on cookie law compliance was possibly the most popular, and from the session I sat in on, there was much concern about the impact on business.
Thankfully, though its guidance could have been clearer at times, the ICO has taken a sensible approach to implementation, placing the issue in proper context.
For an organisation which has to deal with serious abuses of the Data Protection Act and unwanted marketing, the setting of a few cookies on websites is low on its list of priorities.