Privacy & Information Security Law Blog

On December 18, 2012, the Information Commissioner’s Office (“ICO”) released an enforcement report (the “Report”) on the extent of compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011). The ICO previously issued an interim report on organizations’ attempts to achieve compliance, in which it concluded that organizations “must try harder” with their cookie compliance efforts.

Since May 25, 2011, UK law has required prior opt-in consent for cookies and similar technologies. The ICO granted a one-year grace period to enable organizations to comply with these new rules, and the Report provides a snapshot of current cookie compliance in the UK. The Report also summarizes the concerns conveyed to the ICO using its “Report Your Cookie Concerns” function on its website.

The Report notes that between May 25, 2012 and November 21, 2012 the ICO received 550 “cookie concerns,” yet during the same period it received 53,000 concerns about unwanted marketing communications. Based on this, the ICO suggests that consumers’ level of awareness and concern about cookies is relatively low in comparison to unwanted marketing communications. Further, the ICO has given cookies a low consumer-threat rating compared to unwanted marketing utilizing telephone and SMS text messaging.

Consumers’ reported concerns related to the following two key issues:

1. they were unhappy with implied consent mechanisms; and
2. they have not been given enough information about cookies, in particular, about how to decline and manage cookies.

Of the 550 cookie concerns, 462 respondents reported that the website in question did not ask for permission to deploy cookies and 301 claimed that websites did not provide any information about the use of cookies.

The ICO also conducted a basic visual audit of 207 websites in relation to which it received 388 cookie concerns. Of these 207 websites, 90 had taken steps to raise consumer awareness and obtain consent for cookies, and another 68 had taken other limited steps. 48 website appeared to have taken no steps whatsoever to comply with the legal requirements pertaining to cookies. Where websites were based outside of the UK and did not come within the ICO’s jurisdiction, the ICO notified relevant authorities in other EU jurisdictions of the concerns.

To date the ICO has written to 174 organizations regarding their cookie compliance efforts and is considering further investigation into another 14 websites. In the Report, the ICO emphasizes that it will “continue to contact every site [it] receive[s] a concern about to ensure they know what steps they need to take.” While the ICO will take a “practical and proportionate approach” to cookie enforcement, it will consider the use of formal regulatory powers where an organization refuses to take steps to comply, or uses particularly privacy-intrusive cookies without providing notice or obtaining consent.