Skip to navigation
Latest News

ICO "not ready" to probe cookie complaints

website

By Nicole Kobie

Posted on 13 Aug 2012 at 09:45

The Information Commissioner's Office has yet to investigate a single website over the new cookie consent rules, because its investigative team isn't ready to start work - more than a year after the new laws came into force.

The regulations - requiring websites to alert users before dropping cookies onto their computers - came into force in May 2011 via an EU directive, but the ICO gave websites a year's grace period to update their sites, which ended 26 May.

Since then, 320 sites have been reported via the ICO's online submission tool, but not a single site has been investigated, according to an ICO response to a PC Pro Freedom of Information request.

"At present the information has not yet been analysed as the team which will have responsibility for this is not in place yet," the ICO said in its response. "It is intended that once the data has been analysed any organisations not in compliance will be identified, then further action will be considered as appropriate."

The team is not expected to start work until the end of this month, but employees have now been hired, an ICO spokesman said. The team will cover cookie consent, as well as other areas of the new Privacy and Electronic Communication Regulations, including electronic marketing and spam texts.

The ICO added that sites reported via the online tool may not necessarily be investigated, saying they "are not being taking forward as individual complaints", adding that "the purpose of this feedback form is to help us to monitor organisations’ adherence to the rule relating to cookies, and identify sectors where further advice or enforcement activity may be required".

The watchdog has previously said it's unlikely to fine sites for not complying, but will instead force them to start following the rules.

The ICO initially said sites would need to get "explicit consent" before dropping cookies, but a day before it was set to start enforcing the rules the privacy watchdog said "implicit consent" would be enough - meaning sites can simply tell users that cookies will be used.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

It's not extactly surprising. There's not a lot of funding around in government organisations at present. Teams are getting smaller, and so that ever increasing workload just sits in the never ending job queue.

By 0thello on 13 Aug 2012

Do they know anything about web standards

Checking the ICO link against validator.w3.org showed 10 errors so I'm not sure they know too much about web standards, including cookies.

Guess they're not ready yet because they're still ordering their leather seats at £900 each and deciding on the music for the opening ceremony of the first investigation. Elton's available.

By SparkyHD on 13 Aug 2012

NOT CORRECTLY CERTIFIED

Christopher Sidney Matthew Graham (born 21 September 1950) is the UK Information Commissioner. Was a boy chorister at Canterbury Cathedral. He was subsequently educated at St. Edward's School, Oxford, and at Liverpool University, where he earned a B.A. degree in historyHe was a Liverpool City Councillor during 1971-74,. Prior to his appointment as Director General of the ASA in 2000, Graham had worked for the BBC since the mid-1970s.
==============
A policeman gets to know about law.

Graham is the ICO who is supposed to police the internet and protect UK citizens under the EU data protection act.

Unfortunately the ICO does not always know the law, or trys to turn a blind eye to it.
=================
ICO gives BT 'green light for law breaking' with Phorm
=================

NOT A CLUE AND CORRUPT

By lenmontieth on 14 Aug 2012

Shouldn't this be about privacy?

It seems highly strange that the 'privacy watchdog' the ICO are now effectively allowing large companies drop cookies to track visitors without permission.

This whole implied consent thing is ridiculous. Warnings stating- "Just to let you know, we don't care about your privacy and track you regardless of your desire to browse the internet anonymously".

It is a sorry state when the ICO don't wish to clamp down on offenders as this might ruffle a few feathers at large companies who deploy tracking cookies.

I sincerely hope that the ICO decide to finally force compliance on one or two big cos to set an example. Otherwise this will just become another EU law that has not achieved its original aim.

By stephen_57 on 14 Aug 2012

Shouldn't this be about privacy?

It seems highly strange that the 'privacy watchdog' the ICO are now effectively allowing large companies drop cookies to track visitors without permission.

This whole implied consent thing is ridiculous. Warnings stating- "Just to let you know, we don't care about your privacy and track you regardless of your desire to browse the internet anonymously".

It is a sorry state when the ICO don't wish to clamp down on offenders as this might ruffle a few feathers at large companies who deploy tracking cookies.

I sincerely hope that the ICO decide to finally force compliance on one or two big cos to set an example. Otherwise this will just become another EU law that has not achieved its original aim.

By stephen_57 on 14 Aug 2012

Shouldn't this be about privacy?

It seems highly strange that the 'privacy watchdog' the ICO are now effectively allowing large companies drop cookies to track visitors without permission.

This whole implied consent thing is ridiculous. Warnings stating- "Just to let you know, we don't care about your privacy and track you regardless of your desire to browse the internet anonymously".

It is a sorry state when the ICO don't wish to clamp down on offenders as this might ruffle a few feathers at large companies who deploy tracking cookies.

I sincerely hope that the ICO decide to finally force compliance on one or two big cos to set an example. Otherwise this will just become another EU law that has not achieved its original aim.

By stephen_57 on 14 Aug 2012

Enforcement Starts this Month

Rather misleading article headline - lower down you state that they will start enforcement this month - so they are now ready!

By richab on 14 Aug 2012

"Four legs good, two legs bad!"

One rule for us, another for them. ICO were quick to wag their fingers at British businesses reminding them that they had a whole year to prepare for cookie law compliance. And now? If we had a year's grace period, what exactly were ICO doing with theirs, if they're still not ready?

As always, where the official outfit is not ready to act, the scammers are. Last week an Australian scammer was caught making calls to UK businesses claiming to be ICO and demanding money for cookie audits with the threat of a £5,000 instant fine. ICO ignored communications about the scam, said nothing publicly, and only issued a PR BS non-response after I emailed the head of external communications directly to ask about it. (http://idea15.wordpress.com/2012/08/02/so-it-begi
ns-the-eu-cookie-law-scams/#comment-2622)

Last minute u-turns, ignoring scammers, poor preparation for internal compliance: is this taxpayer-funded agency fit for purpose?

By idea15webdesign on 14 Aug 2012

People cost - the fines will come

If they are starting to employ people - the fines will start coming, as those employees have to be paid for.

By richab on 14 Aug 2012

Dereliction of Duty

The EU Privacy Law is already in force, but the ICO seems fit to waiver the law until THEY are able to comply with legalities ???WHAT???
Try telling that to a policeman.

While it is true that the Information Commissioner's Office has issued some substantial fines, many of these have been upon Public Bodies like hospitals and City Councils.

Public Bodies get their main funding from taxpayers. Therefore persons who have been affected by privacy breaches are having to pay these fines (indirectly) to repay those loses. This adds injury to injury (sic) and is an insult.

The ICO does not fulfil what it is supposed to do. Simply put:

It is unfit for purpose.

By lenmontieth on 14 Aug 2012

Why the ICO is WRONG

Privacy:
If I have to register to OPT OUT, then I have to give my private details to some person or database, so these can be recorded.
THIS IS OPPOSITE FROM MY RIGHTS UNDER EU LAW.
------------
If I wish to OPT IN, I should be able to register and get advertising perks etc., even be listed in data banks to receive them.

Cookie Laws are not the exception and SHOULD comply with the above implementation:- ask FIRST and DO NOT TRACK (without permission).

That is the EU LAW (also ours by LAW).

By lenmontieth on 14 Aug 2012

No, it's not about privacy

A lot of you seem to be under the misguided assumption that ICO exists as a privacy watchdog. That's not what they do. Their role is data protection. Their job is to enforce UK and EU legislation about data transmission, retention, and prevention. Privacy is not a part of that remit. There are occasional privacy consequences to data transmission issues - such as an NHS trust disposing of old computers with patient records still stored on the hard drives - but don't think ICO have some sort of heroic role fighting the good fight and protecting us little people. That role belongs to the third sector, not the government.

Data protection is not privacy. The existence of a cookie is not a malicious act. Storing information on a cookie is not a sign of guilt. The only people who seem to think so have "compliance software" to sell. You need to separate privacy - as in, not having information tracked by advertisers - from data retention, as in in informing vistors that you use cookies.

By idea15webdesign on 14 Aug 2012

Is it a cookie or HACKING ?

As soon as someone puts an unwanted,non-requested and unnecessary cookie onto ANY computer, it becomes a technical case of HACKING.
Computer hacking is illegal and has everything to do with privacy.

Why should it be legal for anyone to be tracked without permission by ANY company?

Collection of "anonymous data" can be turned to targeting an individual by examining their Internet Footprint(among others)leading to recognition of a single individual.

If we question its (targeting) morality, the (alleged) IBM collusion with the (legal) Nazi Party in building a card driven computer database that eventually could be used to separate ethnicity, is a point of historic boding.

It should also be remembered that once these forms of private data is released, there is no way to delete it.
Fat lot of good the government telling everyone to be careful with Identity Theft when UK.Government are selling those very important and private details.

Big Business and Government make money on these details, so is it possible a conflict of interests exists?

By lenmontieth on 15 Aug 2012

cookie or HACKING?

@lenmontieth- A conflict of interests is very much possible.

The most used cookies on the web are stored via website analytics tools. The biggest provider of this offers a free service but then OWNS the data. If this is not a matter of data protection then what is!?

Is it right that when accessing public sites such as .Gov sites or NHS sites visitors have to allow their data to be passed through to companies?

There are analytics tools that allow sites to control and own their anonymised data. This is perhaps the balance that needs to be taken to ensure privacy is protected without taking backwards steps for website management.

By stephen_57 on 16 Aug 2012

Only the beginning....

The ICO is the Govt. agency tasked with implementing the EU Privacy Directive, which is law btw, and has been passed into law by the UK Govt. via the PECR 2009.

They have an obligation to enforce the law as it stands, and if they start saying, "..oh well, it is a bit difficult to enforce so we won't bother doing anythign about it...", where does that end? Law is law, there is NO wiggle room here. It is hard to catch "real world" criminals, too, but do the Police say, its too hard, we'll just leave it for now? No, of course they don't. And before I get accused of hyperbole, I am not accusing cookie droppers of being criminals, however, they ARE breaking the law if they do not adhere to the Directive....

As for the ICO's "softly-softly" approach of allowing "implied consent", well, yes they have gone down that route, but implied consent according to the ICO also means NOT dropping cookies UNTIL an action has been given by the user which could be regarded as accepting the "terms" offered by firms trying to go down this route.

As for the lazy bunch of "devs" who have told their upstream that all they need to do is to give details of how to make the changes in the users browser, that's just plain dumb - firstly because even the ICO doesn't consider that to be legal, due to browsers not being sophisticated enough currently to be relied upon, and secondly, if users do start blocking everything, (and it is a lot easier to do that than trying to work out what setting you should have), the entire cookie reliant business is going to come crashing down.

Then you have the other 26 member states, all implementing their own spin on the Directive, with countries like Netherlands going down the explicit opt-in route, AND with the potential to deploy a "bot" to go around websites checking if they are dropping unauthorised cookies, followed by a fine.

People need to wake up and smell the coffee - the law is here, and it needs to be adhered to, otherwise the whole fabric of lawful trading and compliance falls apart - the consequences for that are pretty bad.

By CookieMonitor on 16 Aug 2012

Only the beginning....

The ICO is the Govt. agency tasked with implementing the EU Privacy Directive, which is law btw, and has been passed into law by the UK Govt. via the PECR 2009.

They have an obligation to enforce the law as it stands, and if they start saying, "..oh well, it is a bit difficult to enforce so we won't bother doing anythign about it...", where does that end? Law is law, there is NO wiggle room here. It is hard to catch "real world" criminals, too, but do the Police say, its too hard, we'll just leave it for now? No, of course they don't. And before I get accused of hyperbole, I am not accusing cookie droppers of being criminals, however, they ARE breaking the law if they do not adhere to the Directive....

As for the ICO's "softly-softly" approach of allowing "implied consent", well, yes they have gone down that route, but implied consent according to the ICO also means NOT dropping cookies UNTIL an action has been given by the user which could be regarded as accepting the "terms" offered by firms trying to go down this route.

As for the lazy bunch of "devs" who have told their upstream that all they need to do is to give details of how to make the changes in the users browser, that's just plain dumb - firstly because even the ICO doesn't consider that to be legal, due to browsers not being sophisticated enough currently to be relied upon, and secondly, if users do start blocking everything, (and it is a lot easier to do that than trying to work out what setting you should have), the entire cookie reliant business is going to come crashing down.

Then you have the other 26 member states, all implementing their own spin on the Directive, with countries like Netherlands going down the explicit opt-in route, AND with the potential to deploy a "bot" to go around websites checking if they are dropping unauthorised cookies, followed by a fine.

People need to wake up and smell the coffee - the law is here, and it needs to be adhered to, otherwise the whole fabric of lawful trading and compliance falls apart - the consequences for that are pretty bad.

By CookieMonitor on 16 Aug 2012

one aspect of one hill in a mountain range

Cookie Law is but one aspect of one hill in a mountain range of personal on-line security concerns. It's unfortunate that all our attention is drawn to this incompetent/farce of an attempt by both the EU and the UK to introduce legislation for something that is negligible in comparison to other concerns. It's like the constant gibbering of Carbon release while totally ignoring the other 10M+ poisons being released in exponential quantities. Then going on about all the Carbon Tax without mentioning that a factory (amongst hundreds) was fined £500 for the 20th time for poisoning several million gallons of river water and 20Sq miles of land.

I wonder how much planning went into not setting up a team prior to the introduction of this law, or the subsequent period of time, and how much it cost to do nothing; how long before the EU fines the UK for failing to enforce such legislation?

What we have learnt from Labour is that Self Regulation Does Not Work.

The ICO might argue that they are waiting for the EU to address the mishmash of attempts throughout Europe to introduce this and other on-line legislations. Jurisdictional problems would be a major challenge, and the real problem is illegal trading of information. The EU needs to address this at the EU level unilaterally. Lets face it, the major culprits are search engines, ISP's, major sites, dodgy corporations and governments. The impact of smaller sites failing to meet cookie legislation may be relatively small in comparison.

By skgiven on 16 Aug 2012

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.