In my experience of working as the ICO’s industry strategic liaison manager, the vast majority of businesses want to operate within the law, and it is for the ICO to make sure they’re aware what that means in practice.
One area where I’ve seen most progress is cookie guidance, where our work in making businesses aware of the new regulations has been key to our long term aim of ensuring compliance with the law.
From some initial conversations that involved having to explain what a cookie even was, we’re now at a stage where businesses should know they have to respond to the law.
It might be a law they wish didn’t exist, but the simple fact is that it is here to stay. The EU passed the legislation, the Department for Culture, Media and Sport (DCMS) implemented it, and it’s now the ICO’s job to regulate the organisations that have to comply with the law.
Broadly speaking, there’s two ways we go about this: an education programme to inform the industry, and enforcement work to ensure compliance.
So we’ve issued guidance and press releases, spoken at conferences, held meetings and workshops and even written to 75 of the most visited websites, asking what steps they had taken to achieve compliance and offering our help. We are working through the intelligence we have gathered to see if websites are taking action to increase the visibility of information about cookies, and already a fair number have.
But we’re balancing that with enforcement: for example, some sites have failed to engage with us at all, and they’re now being set a deadline to take steps towards compliance, with formal enforcement action likely if they fail to meet this deadline. Failure to act on an enforcement notice is a criminal offence.
We’re comfortable with the balance we’ve struck so far. It’s the Information Commissioner’s duty to make people aware of the law (even if that is sometimes unpopular), and I feel we’ve done that.
It’s equally the case that on enforcement of the law, taking the easy way out wouldn’t work. We haven’t issued any enforcement notices yet, which some people feel means we’re not being strict enough, but we’re happy with the work we’ve done in the background to ensure any action taken is credible and proportionate.
Crucially, businesses with an online presence should, by now, be aware of the law and while some are still unclear around whether implied consent is allowed, we continue to work to educate around this.
At the same time we’re learning more about what consumers care about. We’ve had more than 380 responses to our online cookie concern reporting tool so far, and we have been working to respond to those concerns, with a progress update due to be published on our website in November.
|Dave Evans managed the Business and Industry Group which develops and manages the ICO’s relations with its key stakeholders in the private sector and provides advice on a range of significant data protection policy areas. Dave left the ICO in July 2013.|