So how did things work out?
- Between April 2012 and September 2014, the ICO received a total of 1023 reported ‘concerns’ about cookie usage.
- 60% of these ‘concerns’ were received in the initial 8 month period.
- As a result, the ICO wrote to 275 organisations, and in every case, no enforcement was required.
Some attributed this apparent success to a well-run education programme and/or a proactive business base making the necessary changes. On the other side of the fence, were those cynics who dismissed the exercise as a waste of time and money. Either way, the outcome of ‘ridding the internet of evil third party tracking cookies’ was a good one!
For the sake of relevant comparison and putting some context around this, it is worth noting that;
- In a single quarter of 2014 more than 47,000 ‘concerns’ were registered with the ICO in relation to unwanted marketing communications.
- This equates to organisations being 1249 times more likely to be complained about for marketing communications, than for inappropriate cookie use!
The good news is that it would seem that the ICO have learnt from the lessons of the past and are being far more proactive and helpful in providing guidance defining their expectations in regards to data protection and privacy. Consent is a cornerstone of the data protection laws and this week the ICO published a 39 page consultation document on its draft guidance on consent under the new regulation. Not only is there some essential reading in there for all Data Protection Officers (DPO), there is also a consultation response document which allows anyone to respond with feedback until 31st March 2017, this is a significant opportunity to shape the complete guidance document due for publication in May of this year.
There is a lot to digest, and it’s clear that specialist data protection lawyers are going to be very busy between now and May next year advising organisations of their obligations in this area. Whether data use opt-in check boxes will require double opt-in for all or some cases, and whether in a right to forget an individual, you have to purge them from every database backup, is still a little unclear. What is certain, is that all organisations collecting and processing customer information in CRM and back-office systems, need to be aware of the requirements. In most cases, systems will need to be enhanced to record evidence of opt-in actions and make sure it is simple for users to change their mind and be forgotten.
Over the coming months we will continue to share our thoughts and understanding of the requirements along with some of the techniques we think might be useful to help you ensure that your website complies. Given that when May 2018 comes around and the new GDPR legislation is introduced, the ICO are equipped with a rather ‘big stick’ to enforce it (with fines for non-compliance being anything up to 20 million euros or 4% of global turnover, whichever is higher), we would recommend that you seek expert legal advice as to your organisations GDPR obligations and readiness. We all know there have already been heavy fines handed out to organisations with less than perfect data protection processes in place, and so with the raising of the bar significantly with GDPR, it is important to take every opportunity to prepare well in the next twelve months.