18 months ago when the UK Government announced their implementation of the cookie regulation, I wrote a rather lengthy blog post detailing the media round up and posted a few links telling you all about the controversy.
Since then I’ve given them an alternative solution (which they didn’t take up), pointed out that the ICO got their priorities wrong (more of that in a minute), reminded you to get it right and when it would happen. Then, when it actually came in to being, I did my own audit post.
Of course by that point the ICO had done a last minute u-turn (who realised that would be the phrase de jour of The Coalition) and had decided that Implied Consent was good enough.
In the same period, individuals used our website to report over 53,000 concerns about unwanted marketing communications. This suggests consumers’ level of awareness and concern about cookies is relatively low, so we have decided to focus on sites that are doing nothing to raise awareness of cookies or get their users’ consent.
I found this partly interesting because I didn’t think I really got that many calls and texts from Marketing companies telling me about my PPI claims and how I can claim if I’ve had an accident at work. Certainly not enough to generate 53,000 complaints, especially considering I probably look at at about one hundred different websites in a month and I can’t remember getting annoyed at any of them for their cookies (except the ones who insist on having a three quarter screen message on a mobile device).
So surely that should be it? Give a slightly more obvious message and away you go. I think the ICO agree with that sentiment as PCPro Point out:
The ICO said it was considering 14 sites for further investigation. One of the sites it wrote to in its original letter campaign in May hadn’t taken any steps to meet the rules, and the ICO said it would contact the organisation to set a deadline for compliance – and may “name the site” in order to make consumers aware.
I wonder if that site is quaking in its boots about being named? Well it should be, as I alluded to in my first paragraph. If you lose your users trust over something as basic as this then you’re doing it wrong.
Of course this week we discover that this isn’t really the end of it. Enter German Green Party MEP Jan Philipp Albrecht and his changing of draft laws on data privacy in the EU. Data privacy is very important and we can see to what lengths it is being ignored based on the 53,000 complaints over unwanted marketing.
I’ve said it for a long time, the ICO needs to be stronger on this and it needs to do it more often. Back in August I revealed on this blog that there had only ever been 6 fines:
In fact, rather than looking at all the times that the ICO hasn’t issued fines, it is easier to look at the situations where it has. In fact it has only issued six fines so far, since it has been allowed to do so. Four have been to councils and one of them was to an organisation that no longer exists.
It appears that this has changed though. We still have a history of fining councils and other Government bodies, but two text spammers were fined £440k at the end of last year, the Prudential were fined £50k for mixing up customer details and a number of individuals have been fined or prosecuted when they’ve broken rules within companies.
However one of the biggest problems with the amendments that Jan Philipp Albrecht is suggesting is that they are very complicated. The amendments document is 200 pages long. How on earth are companies meant to know whether they are compliant or not unless the wording of laws is simple and understandable.
This may be because I work with many clients in heavily regulated sectors, but we have lawyers and legal experts still arguing with each other over what we should do with the cookies on the websites, despite the fact that the ICO, the only European Government to appear to actually do anything yet, has said that as long as you are doing something you are ok. Some of them are still looking at the letter of the law and suggesting the only way of complying is to not give a cookie on the first page of a the visit!
What the legislation is suggesting is a new job role though – that of Data Protection Officer, a role that is going to end up in an odd position. Half stuck between a Legal team telling them what they can and can’t do to be compliant, half stuck between a Marketing team telling them that they only way of making money is to bend the rules and half stuck between IT teams telling them on the complexity and costs of doing what they are suggesting.
Of course this won’t be for all businesses, but it is increasingly likely that many will have to have it. The original plan was to make it so that if the business was over 250 employees then it would need one of these people in a role, but the new suggestion is any company holding the personal information of over 500 people.
The 500 people route is slightly preposterous though, because what on earth will it include? My Twitter profile has over 400 followers. Does that mean that if I get a bit more popular I’m going to have to hire a Data Protection Officer? I don’t think so some how. But I would count my Twitter handle as a unique identifier, so surely anyone having a list of 500 twitter handles in their database would have to comply.
Personally I think the whole thing is turning into a bit of an OmniShambles. If I’ve learnt anything from working in businesses it is that if you want people to do something you have to tell them in clear, simple and succinct way. This should also apply to the Government, EU, UK or otherwise.