ICO won’t fine websites for UK cookies violations

UK websites won't risk financial penalties for failing to meet the new cookies rules, the Information Commissioner's Office has said.

The EU Rules introduced last year to protect the privacy of online users from behavioural advertising are currently subject to a 12-month grace period which ends next week (25th May). Observers had expected the regulator to take immediate enforcement action against non-compliant websites but this has now been ruled out.

At a recent media briefing, Deputy Commissioner David Smith reported that the ICO will generally only investigate websites after users report them via a yet-to-launch tool on the watchdog's site. "Only the most intrusive cookies will lead to the ICO using its enforcement powers', Mr Smith said. This includes fines up to $500,000 or notices requiring companies to take action to fix breaches of the Data Protection Act 1998.

David Smith said fines were unlikely for cookies, as they wouldn't meet the requirements for being "substantially distressing" to individuals. "We do not rule that out but it's most unlikely that breaches of cookie requirements meet the requirement for monetary penalty," he said. "In the area of cookies, it's quite hard to satisfy the test for a fine."

UK cookies - last minute panic

We have seen last-minute panic from organisations looking to comply with the Cookies Regulation, mostly about how the new rules will work for websites which deploy third-party cookies over which they have no control. Affiliate sites using Google Adsense is just one example where this can happen.

Policy makers have suggested that the solution has to be found at network rather than individual website level. Cookies are essential technical elements to support users' browsing experience which, if disengaged, will wreck the website's look and feel. Commercially, owners cannot afford to tell users to go elsewhere if they don't agree to their cookies - it's also likely that other websites are not compliant either. This legal uncertainty is not helpful at a time when the European Commission is trying to encourage cross border e-commerce following the scandalous 2009 report that revealed up to 60 per cent of EU cross border transactions are failing for one reason or another.

ICO website

It's been questioned whether the Information Commissioner's own website (www.ico.gov.uk) is fully compliant with the new rules. Upon visiting the site, a general notice appears to inform visitors about cookies but it doesn't specify which cookies are used (as if we would know what they did anyway), for what purpose, and doesn't give options to disengage them. Is this enough? Our short term view is that so long as your website provides similar information to the Information Commissioner's website it's hardly likely you'll be prosecuted for non-compliance.

Of course, we wouldn't advocate speeding after a police car!

E RADAR's own research led by Dr Daniel Dresner, Tito Todorov and Boniface Atem from Manchester's School of Computer Science questions whether it is enough for users to tick just a box in order to disengage cookies. Surely the user also requires some sort of validation that the cookies have been disengaged? Current website compliance solutions just don't provide this level of trust.

Understandably companies such as Google, Facebook and Yahoo are still developing policies which are at best commercially sensitive due to the tremendous impact behavioural advertising has upon revenue streams - not just their own but their affiliates too. But in this complex world of interconnected communications it has to be the responsibility of companies specialising in the use of behavioural advertising technologies to lead the rest of us!