UK ICO releases cookie enforcement report

By Ruth Boardman


The ICO has just released its latest report summarising the cookie concerns reported to it and the actions it is currently taking.

Between May and November this year, the ICO received 550 concerns via its cookie complaints tool, a relatively small number compared with the 53,000 concerns raised about unwanted marketing materials in a similar period and as such, cookies have been given a “low consumer-threat rating”.

The main points to note are:

• consumer concerns largely related to implied consent mechanisms, especially where cookies were placed immediately on entry to the site and lack of information about cookies and how to decline or manage them;

• the ICO has focussed its efforts on sites that are doing nothing to raise awareness or obtain user concern and in particular, on the top 200 most visited websites in the UK which have received at least one report of concern;

• letters were sent to 68 popular websites in May and a further 106 websites between October and December informing them that the ICO had received concerns and asking them to ensure they are compliant where they had not already taken steps to comply. The report includes names of those websites contacted to date although stresses that inclusion on the list does not indicate compliance or non compliance. The ICO will continue to write to websites it has concerns about;

• there are 14 websites where the ICO is considering further investigation and 5 websites based in other EU countries where the ICO has notified the relevant authorities of its concerns;

• encouragingly, only one website had failed to take any steps towards compliance and a compliance deadline will be set. Failure to comply will result in formal compliance action and the website may be named and shamed;

• companies relying on the implied consent model need to ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens; and

• the use of formal regulatory powers will still be considered where compliance deadlines are not met or where particularly privacy intrusive cookies are used without telling individuals or obtaining consent.

For full details, please click here and here.


Ruth Boardman