The Information Commissioner’s Office will write to 50 top UK websites this week to find out what actions have been taken towards compliance with the new EU e-Privacy Directive.
During a press briefing last week the deputy commissioner and director of data protection David Smith declined to reveal which businesses were included on the list, but confirmed that site traffic was one of the criteria.
The websites in question will have 28 days to respond to the ICO’s letter.
While this may cause an administrative headache for the businesses involved, it will come as good news to many that the ICO does not plan to levy fines for breaches of the EU cookie law.
How will the ICO enforce the directive?
The new law, which comes into affect this week after a period of grace, gives the ICO the power to fine companies up to £500,000 for breaches of privacy regulations.
But Smith, said the ICO was not “suddenly going to launch a torrent of enforcement action,” and that it would use formal warnings rather than fines to encourage websites to comply.
There would also be flexibility with when businesses became fully compliant with the new regulations, as the ICO understands that businesses have development cycles and can't suddenly redesign their sites:
It’s most unlikely that breaches of cookie requirements will meet the criteria that we have to satisfy before we can impose fines. It would have to be a serious breach and it has to be likely to cause substantial damage or distress to individuals.
He said that the ICO’s enforcement approach is to do with risk to people’s privacy, and the more intrusive the cookie is, the more likely it is to risk sanction. The level of penalty imposed will be worked out using a scale.
Tracking cookies for behavioural advertising are considered more intrusive, while analytic cookies are at the lower end of the scale.
If all they’ve got is website analytics it’s not all that likely that they will end up facing enforcement action from the ICO as we have a lot of other priorities before we’d ever get to them.
However, Smith was also quick to point out that businesses shouldn’t simply ignore the new cookie law because the ICO was adopting a fairly soft approach to enforcement.
Similarly, he said that websites couldn’t hide behind the fact that many government websites are not going to meet the deadline for compliance.
Moving towards compliance
While the ICO has been in discussions with businesses about plans for compliance, many are unhappy that it has failed to say exactly what compliance will look like. Thus, many websites are unsure of the measures they should be taking.
The ICO’s own website is compliant with the cookie law, but Smith said it is not a model of how things should be done.
There are probably much more imaginative and user-friendly ways of getting consent.
The ICO is hoping that the industry will take the lead in coming up with best practice solutions and educating consumers about the new law. Group manager for business & industry Dave Evans said it would be “strange and naïve” for the ICO to think it was better placed to educate consumers than major websites.
Instead businesses should be looking to educate users and obtain consent “in a way that fits in with what you do.”.
We don’t want to be telling people how to run their business. We want to give people guidance on where they should be aiming and then they can come up with the best way to get there.
He said once consumers get used to seeing consent solutions it will become easier for the ICO to give advice to other businesses.
As rather than describing compliance we can direct them to these websites to see how they are doing it properly. Also, if lots of people in a particular sector are doing good things, then the people who are doing nothing are going to stand out.
Why comply at all?
If, as the ICO says, it will not aggressively enforce the directive and fines are unlikely, why would businesses risk losing users/sales/analytics insight etc by implementing consent mechanisms?
I think there's a lot to be said for educating users about the information that is used by websites, and more detailed privacy policies are welcome. However, businesses will wonder why they should add a strict compliance solution and risk higher bounce rates when there is no guarantee that competitors will do the same.
We put this question to David Smith:
You shouldn’t do nothing and hope you get away with it. We’ve said all along that this should be a targeted approach so businesses should review what they’ve got and look at where the privacy intrusion is the greatest and act on that area.
I would say to businesses that you are in a competitive market, you are in an area where trust and confidence is important, and your competitors are doing things. So if you’re the one who is seen not to be doing anything then you are taking a big risk and not just an enforcement risk.
Businesses have to make their judgements and take their decisions, and in doing that the more intrusive a cookie is the more likely it is to engage our attention. If all they’ve got is website analytics it’s not all that likely that they will end up facing enforcement action from the ICO as we have a lot of other priorities before we’d ever get to them, but what I can’t say is that that would be legally compliant, but they have to make their decisions.