For those who have had any involvement in the digital domain over the last few years, any reference to the ICO or cookie law might cause you to shudder (or worse!). In May 2011 the EU introduced a directive which the Information Commissioner’s Office was tasked with implementing. For a year the ICO allowed website owners to update their sites before enforcing the legislation with the sanction of hefty fines for non-compliance. The legislation gave users the right to refuse the use of cookies by websites they visited to prevent the tracking of their browsing habits. Tightening up on this practice was a good thing, however, cookies are an essential part of most websites and without them they may no longer function as intended.

With no concrete information or guidance on how to interpret the legislation’s requirements, website owners, developers and managers were left with a serious problem. In the uncertainty of it all, organisations such as the BBC and BT spent huge amounts of money implementing complex systems whereby visitors could explicitly enable and disable certain cookies. Without this level of resource to throw at the problem, most organisations simply settled for a banner displayed to first time site users requesting acceptance of the use of cookies to continue. The ICO did eventually publish further information around the expectations for good practice surrounding cookie use, but only 48 hours before the enforcement date!

So how did things work out?

  • Between April 2012 and September 2014, the ICO received a total of 1023 reported ‘concerns’ about cookie usage.
  • 60% of these ‘concerns’ were received in the initial 8 month period.
  • As a result, the ICO wrote to 275 organisations, and in every case, no enforcement was required.

Some attributed this apparent success to a well-run education programme and/or a proactive business base making the necessary changes. On the other side of the fence, were those cynics who dismissed the exercise as a waste of time and money. Either way, the outcome of ‘ridding the internet of evil third party tracking cookies’ was a good one!

For the sake of relevant comparison and putting some context around this, it is worth noting that;

  • In a single quarter of 2014 more than 47,000 ‘concerns’  were registered with the ICO in relation to unwanted marketing communications.
  • This equates to organisations being 1249 times more likely to be complained about for marketing communications, than for inappropriate cookie use!

The good news is that it would seem that the ICO have learnt from the lessons of the past and are being far more proactive and helpful in providing guidance defining their expectations in regards to data protection and privacy. Consent is a cornerstone of the data protection laws and this week the ICO published a 39 page consultation document on its draft guidance on consent under the new regulation. Not only is there some essential reading in there for all Data Protection Officers (DPO), there is also a consultation response document which allows anyone to respond with feedback until 31st March 2017, this is a significant opportunity to shape the complete guidance document due for publication in May of this year.

There is a lot to digest, and it’s clear that specialist data protection lawyers are going to be very busy between now and May next year advising organisations of their obligations in this area. Whether data use opt-in check boxes will require double opt-in for all or some cases, and whether in a right to forget an individual, you have to purge them from every database backup, is still a little unclear. What is certain, is that all organisations collecting and processing customer information in CRM and back-office systems, need to be aware of the requirements. In most cases, systems will need to be enhanced to record evidence of opt-in actions and make sure it is simple for users to change their mind and be forgotten.

Over the coming months we will continue to share our thoughts and understanding of the requirements along with some of the techniques we think might be useful to help you ensure that your website complies. Given that when May 2018 comes around and the new GDPR legislation is introduced, the ICO are equipped with a rather ‘big stick’ to enforce it (with fines for non-compliance being anything up to 20 million euros or 4% of global turnover, whichever is higher), we would recommend that you seek expert legal advice as to your organisations GDPR obligations and readiness. We all know there have already been heavy fines handed out to organisations with less than perfect data protection processes in place, and so with the raising of the bar significantly with GDPR, it is important to take every opportunity to prepare well in the next twelve months.