recent work

FOI request confirms that ICO has yet to begin investigating cookie law violations

PC Pro Magazine submitted the request recently, and has discovered that ‘320 website have been reported’ to the ICO – but that non, thus far, have been investigated.

“At present the information has not yet been analysed as the team which will have responsibility for this is not in place yet,” the ICO told PC Pro. “It is intended that once the data has been analysed any organisations not in compliance will be identified, then further action will be considered as appropriate.”

Specialist employees have now been drafted in to investigate cookie non-compliance, electronic marketing and unsolicited text messaging. The ICO told PC Pro Magazine that it ‘expected the team to start work at the end of this month [August]’.

In 2009, the EU’s Privacy and Electronic Communications (e-Privacy) Directive was changed to state that storing and accessing information on users’ computers would only be lawful “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”. Consent must be “freely given, specific and informed”. An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user – for example, to take the user of an online shop from a product page to a checkout.

Amendments to the PECR implemented the Directive into UK law last May. The ICO placed a year’s grace on enforcement action in order to give website operators time to implement measures to comply with the new consent requirements, however that period has now passed. The ICO can issue fines of up to £500,000 to organisations whose websites do not comply with the PECR.