ICO’s 2012 cookie law enforcement report – what it really says, and what it really means

On 18 December the Information Commissioner’s Office, the government bureaucracy which administers the EU Cookie Law in the UK, released their unexplainably delayed report (promised for November) on how they have processed and enforced reported violations of the law since it went into effect in May.

My expectations for the report, based on the aggregate numbers they had already released, were very low. But the full report had me wiping away tears of laughter.

You can follow along by downloading ICO’s two report documents:

The five-page report opens with a sheepish confession:

Between 25 May and 21 November 2012 we received 550 {cookie law} reports. In the same period, individuals used our website to report over 53,000 concerns about unwanted marketing communications. This suggests consumers’ level of awareness and concern about cookies is relatively low.

And yet “low awareness of cookies” was the exact rationale used to justify ICO’s interpretation of the law. In their 2011 cookies guidance document, revised in 2012, they note:

Research into consumers’ understanding of the internet and cookies demonstrates that current levels of awareness of the way cookies are used and the options available to manage them is limited…The Department for Culture, Media and Sport commissioned PricewaterhouseCoopers LLP (PWC) to conduct research into the potential impact of cookies regulation1. PWC conducted an online survey of over 1000 individuals in February 2011. The report concluded that ‘broader consumer education about basic online privacy fundamentals could go a long way toward making users feel more comfortable online and also enable them to take more control of their privacy while online.’

The PWC report, dated April 2011, provided the survey data used to justify ICO’s pre-May 2012 interpretation of the law. It is 91 pages long and stuffed with tables and graphs. I read the whole report in preparation for my first presentation. The flaw in its methodology is obvious: it was commissioned by a UK government agency which needed data to justify the implementation of a statute they were already mandated to implement under penalty of international law. The survey data, regardless of what it said, was always going to be made to support to a preordained conclusion.

The problem is, not only are people still not interested in cookies, but their sole awareness and conclusions are likely to come from the ways that the law has been deployed – and misdeployed – as opposed to existing as an issue on its own. The ICO report carries on:

Consumers’ concerns vary significantly, but two themes are that they:
– are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site;
– have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.

ICO only have themselves to blame for this. After all, each of these things were perfectly permissible under their own variable provided guidance for compliance with the law. I defy any of my readers to come up with another example of overseeing bureaucracy making a 180° turnaround on its own law’s guidance on the day the law went into effect after investing months of time and effort telling everyone to do the other thing.

The report also whispers:

A significant number of people also raised concerns about the new rules themselves and the effect on the usability of websites.

Could you elaborate, ICO, on what you mean by “a significant number?” Is that backside-covering for “more people than are actually bothered with the law?” Does that include disabled people like Simon who use accessible technology and now cannot access some of his favourite sites at all due to inaccessible and over-the-top cookie compliance processes?

Do tell, ICO, do tell. And then tell us what you are going to do about it.

The report carries on with a few graphs reflecting numbers I would expect to see in a Council’s monthly Trading Standards report – not the numbers expected of a UK-wide bureaucracy. 388 reports about 207 web sites? The entire United Kingdom?

The report now lurches into the piece de resistance:

Between 25 May and 6 September 2012 we received 388 concerns raised about 207 websites. We have looked at all these sites (a basic visual audit), and the results are on the next page.

You read that right. ICO’s formal evaluation process for potential violations of the law was a visual auditThey looked at the site. Not in it. They looked to see if a cookie compliance mechanism was in place. What they did not do was

  • Peek under the bonnet to find what kind of cookies are in use, and how many there are;
  • Determine which cookies are essential and which are not;
  • Determine which cookies require a consent mechanism and which do not;
  • Determine what, if any, information those cookies were collecting, and where it was reporting that information to, if anywhere.

In other words, they did not first check to see whether a cookie compliance mechanism was required at all. In the grand bureaucratic tradition, the presence of the disclaimer is the goal: not its content, its necessity, or its authenticity. The mere presence of a cookie is still seen as a presumption of guilt: not its function, action, or consequence.

I am privileged to know, and to work in, a network of incredibly talented, driven, and creative web design and development professionals. I have never in my life met a single web design and development professional who got to that point by looking at web sites. We must regretfully conclude that a law cooked up by cloistered bureaucrats who neither use nor understand the technology they legislate is now being implemented and enforced by their junior counterparts.

After providing a few more graphs and screen grabs to pad their report out to five pages, ICO provide a link to a list of organisations they have written to in order to enquire about their cookie law compliance intentions. The list includes 68 of the most popular web sites in the UK as well as 106 sites reported to ICO by consumers.

“Snitched on” by consumers might be a better phrase. The list of sites reported to ICO reads like a list of personal gripes, conspiracy theories, and the vendettas of disgruntled customers and bitter competitors. The list includes

  • Network Rail
  • The Parliamentary site of Nick Clegg
  • The Parliamentary site of George Osborne
  • Jamie Oliver
  • Weight Watchers
  • Not one, but two sites selling till rolls. Till rolls?!
  • Three solicitors’ firms
  • Two GP surgeries
  • Three web designers, and
  • …The European Parliament (yes, really)

In my very first presentation on the law I predicted that we would see bitter web designers reporting each other for “cookie law violations” as a means of selling their own cookie compliance services and increasing their revenues. I was right.

One site on the list which jumped out me was that of the Glasgow World Cup, an annual world-class gymnastics competition staged here in Glasgow. I attend every year. Anyone who visits the site can instantly see that it is a sub-page of Glasgow Life’s web site which happens to have its own dedicated domain name for event marketing purposes. There are thousands of pages on Glasgow Life’s web site, as the organisation manages everything from public libraries to swimming pools to museums. Why would someone report one internal page of a site but not the whole rest of the site? It’s a clear example of how the reportage system is being used as a griping mechanism by passive-aggressive people who have no intention of understanding what they are complaining about.

ICO’s report also notes that a number of sites reported to it for “violations” are based outside the UK. While they say “therefore, where sites are based in another EU country, we have told the relevant authorities about the concerns we have received,” they say absolutely nothing about sites based outside the EU. This is yet another volte-face: you may recall that at this time last year they were arrogantly expecting every country outside the EU to follow suit with their own cookie laws.

I will go out on a limb and say that this is the judgement many of us were waiting for regarding WordPress.com and the millions of blogs hosted on it. As WordPress.com is based in the US, we can conclude that the UK, at least, is not going to demand that they fall in line with their interpretation of EU Cookie Law.

And finally, ICO closes by confirming that the carrot has no stick:

We are pleased that few popular sites appear to fall into the category of not seeking consent to use cookies. For them, though, we will now set a compliance deadline.

Last year I predicted that only the biggest and most popular web sites were at a genuine risk of a noncompliance punishment – albeit a nonfinancial one. This prediction seems to be coming to pass. I am sure that these big sites have deployed all resources to meet a vague compliance deadline coming sometime in 2013.

What’s ahead?

The only actionable part I find in this report is “a significant number of people also raised concerns about the new rules themselves and the effect on the usability of websites.” It would seem that for many web site administrators, 2013 will be dedicated to undoing the damage they did to their sites in 2012 in order to meet the 2011 guidance.

ICO seem to have their work cut out for them this year thanks to people getting revenge on their GP by reporting their surgery as a cookie law violator for having a third party weather widget. I leave them to it.

I fully intend to keep studying, writing about, and presenting on the EU cookie law this year. Some have said the cookie law is dead, and perhaps it is, but there is a more fundamental issue here: quis custodiet ipsos custodes? It’s a job I enjoy. Custodio.

Update: ICO’s cookie law stats for Q1 2013

2 thoughts on “ICO’s 2012 cookie law enforcement report – what it really says, and what it really means

Comments are closed.