I was stupid, I was naive: I thought that recent statements from senior people at the Information Commissioner’s Office (ICO) indicated a willingness to enforce against non-compliance in the use of cookies and cookie banners.
I was wrong. My recent complaint, published as an open letter to John Edwards, the Commissioner, not only took ten weeks to be allocated to a case worker, but, now, that case worker has told me, in terms, that they’re not interested:
we do not respond to cookie complaints individually…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.
This leaves two things hanging: 1) the site I complained about is one of the most visited in the UK; 2) the website in question arguably “raises awareness” of cookies, but only insofar as it confounds, frustrates and obstructs the user, in a manner which, in my submission, contravenes ePrivacy and Data Protection law, and 3) fails to get users’ consent (as it is defined in those laws).
MLex(£) have now written about this, and have secured a quote from the ICO, which is more than I got, really:
It is an ICO priority to influence changes to online tracking practices to create a more privacy-oriented internet. Where users want personalized adverts they should have the choice to receive them. But where websites don’t give people fair choices over how their data is used we will take action to safeguard their rights.
Try as I might, I can’t square that, and the ICO’s previous public statements about taking firm action, with an approach which fails in any real way to engage with people who take the time and effort to make complaints. But, as I say, I was stupid and naive to think it might have been different.
I’ve now complained, in turn, about the ICO’s handling of my complaint (and made an FOI request), in these terms:
1. I made a complaint under Article 77 UK GDPR. You have not investigated that at all, let alone “to the extent appropriate” as you are required to do under Article 57(1)(f).
2. My letter was addressed to John Edwards. Has he seen it?
3. You say, “When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.” Which have you done here? Please disclose information either in respect of the compliance check you undertook, or of the correspondence you sent to Associated Newspapers Ltd.
4. Frankly, your response is discourteous. I went to some effort to assist the ICO in its stated intention to investigate poor compliance with PECR, but your response gives no indication that you’ve even read the substance of my complaint.
5. Your letter contains no apology or explanation for the extensive delay in handling it, which falls outside your own service standards.
In seriousness, I find this all really disheartening. The gulf between what the ICO says and what it does is sometimes huge, and not necessarily appreciated by those who don’t work in the field.
But I will get back in my stupid box.
+++
For completeness’ sake, the full response from the caseworker was:
Thank you for your correspondence in which you have complained about Associated Newspapers Ltd and its use of cookies.
Complaints regarding cookies can be submitted to us through the following link: Cookies | ICO
In this case, I have forwarded the information you have provided to the appropriate department. Although we do not respond to cookie complaints individually, we use the information you send us to help us identify, investigate and take action against organisations causing you complaint. To do this, we work alongside other organisations and website owners.
Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us,
we either conduct our own compliance check or write to the organisation. Our website provides further information about the action we’re taking on cookies.
Yours sincerely
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
Just wondering whether the statement of the kind “we do not look at individual’s complaints etc etc” is inconsistent with S.166. Why not appeal to the Tribunal? Might have more success in getting ICO attention, possibly???
As regards your complaint to the ICO about their handling of your complaint then I am afraid you are in for a dismissive surprise. In particular the position of the ICO on dealing with complaints about their handling of complaints made to them is to carry out what is a procedural but not merit based review. For example did the caseworker acknowledge receipt of the actual initial complaint and did they also respond to the actual complaint and if they did then the ICO will tell you that they have followed their own procedures and if you are not happy with their actual decision then you can take Court action. Taking such Court action may well involve a claim for judicial review which will cost you many thousands of pounds particularly if you lose and of course the ICO are fully aware of that. If you feel stupid now then worse is to come and please post the response you receive from the ICO to the complaint you have made about them.
Thank you. I’m very aware of all of this, and the ICO’s response is highly unlikely to be a surprise to me.
I am glad to hear that. It certainly appears that the initial response of the ICO was something of a surprise to you
That’s because it’s a surprising response. I’m very familiar with how difficult it is to challenge a response.
Not sure how I may be of service here… but happy to throw my weight behind anything that you consider helpful 🤷🤔