The EU Cookie Law reporting form – that isn’t

I’d like to return to an aspect of the UK’s implementation of the EU Cookie Law which I first discussed all the way back in February.

Back then, I speculated that if it was incorrectly implemented, ICO’s reportage engine for cookie law violations could be misused as a glorified snitching system. The cookie law was allegedly put in place to help people who did not understand their online privacy options or the technology behind them, yet the reportage engine required an active interest in privacy issues as well as an intermediate level of technical knowledge. There was also the obvious risk that the reportage engine/snitching system would be enthusiastically adopted by unscrupulous web agencies and designers looking to get one up over their competitors – and open a new revenue stream in the process.

An interview with the Information Commissioner himself, given to V3 in June, inadvertently revealed that this is exactly what is happening in practice:

“As of last Friday {8 June} we had 169 reports [submitted]. It’s fair to say that some have a little too much rhetoric but there are many where customers are pointing that well-respected brands are not doing anything about it [the cookie law] and can’t understand why not,” he said.

When he said “it’s fair to say that some have a little too much rhetoric” what he really meant is that, in the immediate aftermath of the law going on the books, many of the reports were submitted by people who did so because they had a position to take, an axe to grind, or consultancy services to sell. The offending cookies were a mere conduit for that. It is no wonder the V3 article was titled “ICO inundated with cookie complaints” – the tally of rhetorical rants actually helped ICO by making it appear as if the general public are much more interested in cookie issues than they are.

As for why he cannot understand why brands are not doing anything about the cookie law, that much is obvious: did the complainants even bother to contact the offending web site’s administrators first? Have they entered into a dialogue with the company about their cookie law intentions or to express their concerns directly? If they have done all that, and are not happy with the response (if any) they received, resorting to the reportage engine is all well and good. But the Commissioner’s comments suggest that in practice the cookie reportage engine is being misused as the first point of contact by passive-aggressive people who would prefer to raise a drama with a government agency than ask a simple question. What were ICO expecting when they released confused and conflicting public guidance depicting cookies as a malicious threat?

To illustrate that passive-aggression, someone tried to leave a comment on one of the cookie law posts in this blog. His comment was a question: could I please give him the address of the ICO reportage engine. And that spoke volumes. Here is someone who has gone on a high horse but cannot even be bothered to look up the reporting form’s address. If he cannot take the initiative to do that, what are the chances he has entered into a literate and non-ranting dialogue with the offending company first?

Independent regulators exist to step in where existing processes have failed. Yet the numbers we’ve seen suggest that consumers are using ICO as a complaints hotline rather than a route of recourse. And when you separate the legitimate problems from the rhetoric, the caseload that is left is so small and manageable that not one staff member has had to be hired.

The biggest irony about the cookie reportage engine/snitching system is that it isn’t. At this stage the form is being used solely to collect general information and take the pulse, as it were, of cookie issues in the UK. That may change, but for now, even if you do submit a perfectly valid complaint about an offending site, you will not receive a response, you will not receive an update, and there is no guarantee that the complaint will be acted upon. You cannot even submit your contact details with your complaint. This hands a gift to the people who have an ulterior motive for reporting a site. They can point fingers and rant all they want with no personal or professional accountability.

You could almost laugh at the absurdity of it all: the law is in effect, and we are obliged to obey it “or else”, but no punishments and fines have been issued, and no staff members have been taken on, because they are not actually accepting actionable reports of the law’s violations yet.

This is no way to solve a problem, and it’s no way to implement a law.

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.