ICO’s Spring 2013 cookie law update

Some new statistical LOLs this afternoon from the Information Commissioner’s Office.

  • From January to March they received 87 cookie law reports. That does not mean 87 valid complaints, 87 different web sites, or 87 sites maliciously shredding site visitors’ privacy. It means 87 reports.
  • The number of organisations written to about the cookie law, since their December report, has risen by 61 to 235. Again, that does not mean 235 cookie law breaches, 235 cookie law threats, or 235 privacy violations. It means 235 letters sent out. It includes the information letters ICO wrote to many of the 200 most popular web sites in the UK to simply advise them about the law.
  • Of those web sites, ICO currently has possible cookie concerns about seven of them. That’s seven, for the whole duration of this law, for the whole United Kingdom.
  • Not one site has been placed into stage one of the formal enforcement process – an Information Notice – much less gotten to stage four, a Monetary Penalty Notice.
  • ICO is still conducting only visual audits of reported web sites. They are not looking to see what cookies are there, how they are used, or what if any information they are capturing. They are looking for existence of a cookie law policy statement.

And that – not the low numbers – is the real failure of the EU Cookie Law. This is not a privacy law. It’s a bureaucratic tick-box. Your site can have blatantly intrusive cookies breaking wind on your visitors’ privacy. ICO doesn’t care. ICO just wants to see that you have gone through the bureaucratic exercise of drafting a cookie statement. Do that and they will pat you on the head regardless.

I gave a brief talk about these figures, as well as the 2012 report, at WordUp Edinburgh.

Update: Summer 2013 cookie law report