Cookies - who will be the first to be clobbered?
Wednesday, 30th May 2012
When there were less than 40 days to go, LiveWire’s Joanna Ptolomey reported on research from KPMG showing that as many as 95% of companies weren’t ready – even though the UK privacy regulator the Information Commissioner’s Office (ICO) may now impose fines of up to £500,000 for non-compliance. In truth, though, what can the ICO actually do?
During the grace period of a year before actively enforcing the European Data Protection Directive, it spoke about the changes at a mere 30-odd events and wrote to no more than about 50 popular websites (according to an ICO blog). It’s obviously stretched, and it’s probably going to be a while before it can start imposing sanctions.
But when it does, it may have to start pretty close to home. A Cabinet Office spokesman told the BBC recently that most of the UK government’s own websites wouldn’t be ready in time.
The Local Government Association added that the ICO would continue to work with bodies that at least showed a commitment to implementing the rules, rather than prosecuting them. And the ICO has implicitly confirmed this, appealing to government bodies that are compliant to share their expertise with others.
The irony of all this is that the users the rules are supposed to protect don’t seem to care very much. According to a survey by eDigitalResearch, three quarters of online consumers hadn’t even heard of the EU’s cookie law – although when told about it almost 90% thought it was a good thing.
In reality, though, people seem to prefer to vote with their wallets. Another survey, from the Internet Advertising Bureau, found over half of people saying they would rather have cookie-based targeted ads than be required to pay for internet services.
So do non-compliant bodies need to worry? The ICO’s own guidance (downloadable via the ICO blog mentioned earlier) states that monetary penalties will be reserved for the most serious breaches – but it also says that non-compliant bodies will need to have a pretty good excuse, and it has made it dead easy for people to report their cookie concerns.
A look at the ICO’s track record removes any doubt about its willingness to prosecute where necessary. Penalties may be reserved for the most egregious of cases – but it’s only going to be a matter of time before it decides to make an example of somebody.