ICO: no fines for breaking cookie rules

Information Commissioner reveals how it will enforce new cookie rules

Nicole Kobie
18 May 2012

Websites won't risk a fine by failing to meet new cookie rules, the Information Commissioner's Office has said.

The rules - the result of an EU Directive - technically came into force last May, but the ICO gave UK sites a year before taking enforcement action.

That grace period ends next week, but the ICO has assured website owners it won't be issuing any fines. "Please don't read that as suddenly the ICO is going to launch a torrent of enforcement action," said deputy commissioner Dave Smith, at a media briefing.

Sites will generally only be investigated by the ICO after users report them via a yet-to-launch tool on the watchdog's site. Only the most intrusive cookies will lead to the ICO using its "enforcement powers", Smith said, which includes fines up to $500,000 or notices requiring companies to take action to fix data protection flaws.

Smith said fines were unlikely for cookies, as they wouldn't meet the requirements for being "substantially distressing" to individuals. "We do not rule that out but it's most unlikely that breaches of cookie requirements meet the requirement for monetary penalty," he said. "In the area of cookies, it's quite hard to satisfy the test for a fine."

A briefing document from the ICO put it more clearly: "In reality the placement of a cookie on an individual's device will not meet the necessary criteria to be considered for a CMP [civil monetary penalty]."

The watchdog stressed that sites that have taken some steps to reach compliance were unlikely to face any action. "We recognise that some people have web development cycles that don't just start when the ICO says," added Dave Evans, strategic liaison manager at the ICO.

Leading by example

Smith said people have asked if the ICO's own site should be looked to as a model for how to address the new rules. "We don't put it up as a wonderful inventive solution... but above all, it's legally compliant," he said, adding there are "probably much better ways of getting consent".

However, the ICO had few examples to point to for businesses to get ideas, saying it didn't want to hold up specific sites as models of compliance as every site will require a different approach and use different technologies - adding apps could also be covered by the regulations.

Smith said the ICO was about to send letters to 50 top websites, asking what they're doing to meet the rules. Earlier this week, the Cabinet Office admitted the majority of Government sites wouldn't reach full compliance by next week. The ICO said that didn't give a free pass to other sites. "Don't take Government websites as an excuse," Evans said.

Read more about: