I was stupid, I was naive: I thought that recent statements from senior people at the Information Commissioner’s Office (ICO) indicated a willingness to enforce against non-compliance in the use of cookies and cookie banners.
I was wrong. My recent complaint, published as an open letter to John Edwards, the Commissioner, not only took ten weeks to be allocated to a case worker, but, now, that case worker has told me, in terms, that they’re not interested:
we do not respond to cookie complaints individually…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.
This leaves two things hanging: 1) the site I complained about is one of the most visited in the UK; 2) the website in question arguably “raises awareness” of cookies, but only insofar as it confounds, frustrates and obstructs the user, in a manner which, in my submission, contravenes ePrivacy and Data Protection law, and 3) fails to get users’ consent (as it is defined in those laws).
MLex(£) have now written about this, and have secured a quote from the ICO, which is more than I got, really:
It is an ICO priority to influence changes to online tracking practices to create a more privacy-oriented internet. Where users want personalized adverts they should have the choice to receive them. But where websites don’t give people fair choices over how their data is used we will take action to safeguard their rights.
Try as I might, I can’t square that, and the ICO’s previous public statements about taking firm action, with an approach which fails in any real way to engage with people who take the time and effort to make complaints. But, as I say, I was stupid and naive to think it might have been different.
I’ve now complained, in turn, about the ICO’s handling of my complaint (and made an FOI request), in these terms:
1. I made a complaint under Article 77 UK GDPR. You have not investigated that at all, let alone “to the extent appropriate” as you are required to do under Article 57(1)(f).
2. My letter was addressed to John Edwards. Has he seen it?
3. You say, “When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.” Which have you done here? Please disclose information either in respect of the compliance check you undertook, or of the correspondence you sent to Associated Newspapers Ltd.
4. Frankly, your response is discourteous. I went to some effort to assist the ICO in its stated intention to investigate poor compliance with PECR, but your response gives no indication that you’ve even read the substance of my complaint.
5. Your letter contains no apology or explanation for the extensive delay in handling it, which falls outside your own service standards.
In seriousness, I find this all really disheartening. The gulf between what the ICO says and what it does is sometimes huge, and not necessarily appreciated by those who don’t work in the field.
But I will get back in my stupid box.
+++
For completeness’ sake, the full response from the caseworker was:
Thank you for your correspondence in which you have complained about Associated Newspapers Ltd and its use of cookies.
Complaints regarding cookies can be submitted to us through the following link: Cookies | ICO
In this case, I have forwarded the information you have provided to the appropriate department. Although we do not respond to cookie complaints individually, we use the information you send us to help us identify, investigate and take action against organisations causing you complaint. To do this, we work alongside other organisations and website owners.
Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us,
we either conduct our own compliance check or write to the organisation. Our website provides further information about the action we’re taking on cookies.
Yours sincerely
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.