ICO’s Summer 2013 cookie law update

ICO recently published an update on cookie law complaints filed with them between April and June. Unlike the spring update, the summer update was not released with any announcement about its publication. It’s easy to understand why. Since ICO’s last update we have, of course, learned about PRISM and the Anglosphere’s ongoing mass electronic surveillance of civilian communications. As we suspected all along, marketers using minimally irritating cookies to create targeted advertising banners was a laughable drop in the bucket of our real privacy problem. I am proud to say that from the start of my public work on the cookie law, I always measured cookie and cookie law issues against the context of wider e-surveillance issues, such as shopping centre tracking beacons and the Communications Data Bill. What was the point, I asked, of legislating how web designers can use the functional cookies which run a CMS when governments wanted the right to hoover up the content of our communications at source? I was more right than I knew.

Anyway, on with the stats.

  • From April to July ICO received 75 cookie law reports. That does not mean 75 valid complaints, 75 different web sites, or 75 sites maliciously shredding site visitors’ privacy. It means 75 reports.
  • The number of organisations written to about the cookie law, since ICO’s April report, has risen by 30 to 265. Again, that does not mean 265 cookie law breaches, 265 cookie law threats, or 265 privacy violations. It means 265 letters sent out. It includes the information letters ICO wrote to many of the 200 most popular web sites in the UK to simply advise them about the law.
  • Of those web sites, ICO currently has possible cookie concerns about two of them. That’s two web sites in the entire UK.
  • The number of sites ICO is monitoring due to explicit refusal or absence of satisfactory cookie law compliance is: zero.
  • As with April, not one site has yet to be placed into stage one of the formal enforcement process – an Information Notice – much less gotten to stage four, a Monetary Penalty Notice, as a result of a cookie law complaint.

The EU cookie law, as implemented in the UK, is rapidly becoming one of those quaint laws that is technically on the books but utterly irrelevant, like the 19th century law still in force in Washington DC which says that any house with more than six women living in it is a brothel.

Let’s put cookies into perspective: those of you who attended my April presentation at WordUp Edinburgh will recall that I discussed how ICO’s priority, that very week, was issuing an Information Notice to the Home Secretary ordering her to describe the surveillance technology she intended to use as part of the Communications Data Bill, including its technical specifications and the procurement process which created it. She had, you’ll recall, refused to disclose that information on the grounds of national security. Now we know why: the technology she wanted to use was already up and running on British soil anyway.

Oh for the nostalgic good old days of cookies being your biggest privacy problem – specifically 2009, when the cookie law was first devised. We didn’t know how good we had it.

See also:

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.