Much of the debate leading up to the enforcement of the EU Cookie Law in the UK on 25 May has concerned its practicalities: how to conduct a cookie audit, how to gain opt-in consent, and what experience to serve to visitors who decline to opt-in. Yet in all the chatter there’s one obvious aspect of the EU Cookie Law which has been overlooked. I spoke about it when I delivered my presentation on the law at WordUp Glasgow 2012, but the time has come to draw the wider community into the discussion.
Put simply, we are being compelled to comply with the law at the risk of punishments and fines.
But what are the chances of punishments and fines actually occurring?
After all, the buildup to compliance has been peppered with menacing sound bites like this:
The ICO (the body responsible) has the power to serve penalties of up to £500,000 (about $800,000) to organisations that seriously breach the law. Details are still being defined and are likely to be tested in court.
But what those sound bites don’t tell you is that those figures represent ICO’s maximum penalty fines for all of the forms of data protection under its remit – not just the cookie law; that the financial fine is actually the fourth and final stage in an exhaustive warning process; and that the breaches which constitute a “severe penalty” are not even on the same radar as the issues presented by the cookie law.
An analogy might be that we are being warned not to commit a civil offence under threat of the penalties issued for premeditated murder.
ICO, the independent UK government organisation which is responsible for cookie law compliance, has a massive and far-reaching remit. When you hear about a doctor being punished for leaving a memory stick containing patient data in the pub, that’s ICO doing the fining. When a Council makes the news for sending childrens’ social work records to the wrong people, that is ICO’s work as well. When a rogue landlord is prosecuted for bribing a Council employee to supply him with data on his tenants’ personal finances, ICO makes sure the message is heard loud and clear. The work they do is absolutely vital and serves the public interest.
ICO uses a four-stage process for processing breaches in data protection laws:
1. an Information Notice, a requirement to provide clarification within a certain period of time. In other words, “Hey guys, we see that you’re doing this thing. Could you explain why?”
2. an Undertaking, an order to comply with a prescribed course of action within a certain period of time. In other words, as we say in Glasgow, “gonnae no dae that?”
It’s important to note that these first two stages of compliance are for situations where the person was perhaps genuinely unaware and was willing to work with ICO to resolve the situation, the problem is easily fixed, and no lasting damage has been done. There are no punishments or fines.
3. an Enforcement Notice, an order to comply in cases where clear breaches have been noted, with failure being a criminal offense. In other words, “Y’all got some shit goin’ down, fix it by 30 April or we’ll haul your ass into court.”
4. a Monetary Penalty Notice. The maximum fine is £500,000.
These two stages of compliance apply in situations where the data protection issue was ongoing, malicious, severe, unforgiveable, deliberate, or calculated, or when the organisation actively rejects the guidance in an Undertaking.
Let’s look at the kind of data breaches which ICO determines to be severe enough to warrant a monetary penalty notice:
- On 14 March ICO issued a monetary penalty of £70,000 to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl.
- On 15 February ICO issued a monetary penalty of £80,000 to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients.
- On 13 February ICO issued a monetary penalty of £100,000 to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.
- On that same day ICO issued a monetary penalty of £80,000 to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
- On 30 January ICO issued a monetary penalty of £140,000 to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions.
Notice a common theme running through those penalty recipients? All were public sector organisations whose data breaches put the safety and lives of individuals at risk.
Offences like these are not even in the same category as failing to ask a web site visitor for permission to set a cookie remembering if they like to view the weather forecast in Celsius or Fahrenheit.
As for that figure of £500,000, it turns out that the £140,000 penalty to Midlothian Council was the largest fine ICO has ever issued to date.
You have to go back to May 2011 to see a Monetary Penalty Notice issued to a private sector business. It was issued to good old Andrew Crossley – him of the ACS Law blackmail scam – for failing to keep the private data of 6,000 of the people he was trying to extort money from in a secure manner. The Monetary Penalty Notice? A whopping £1,000. He spent more than that in a month on his car valeting.
All Monetary Penalty Notices can be viewed on this page on ICO’s web site.
It’s also informative to look at the sort of data breaches which ICO deemed worth referring to the police for prosecution for having criminal elements beyond ICO’s data protection remit. These are malicious, calculated, and ad hominem acts which are not even in the same universe as customer-facing CSS.
Now, I am not saying that there is no chance of Monetary Penalty Notices or prosecutions being issued for violations of the Privacy Directive. I can’t say that. I’m not a lawyer, I don’t work for ICO, and I have no idea how enforcement of the law will be carried out in practice.
What I am saying is that public discussion and takeup of the EU Cookie Law has not been served by categorising cookie issues on same level as major data breaches which threaten the life and limb of the public. Scaremongering threats of six figure fines have discouraged respect of the law as well as the organisation administering it.
The blame for this lies with ICO for failing to clarify how they will enforce the law and punish malicious violations of it. But the blame also lies with every blogger, snake oil salesman, and lazy journalist who has mindlessly parroted the “£500,000 fine!” quote to serve their own motives.
So who would receive a Monetary Penalty Notice for a Cookie Directive violation?
Well, relax. It’s probably not going to be you. It’s going to be an organisation with the public profile, staffing levels, and revenue levels to have known better. Remember when Facebook was caught setting a cookie which tracked members’ web activity even after they had logged out of Facebook? That is the sort of violation this law was meant to address.
Not whether you are going to be personally responsible for paying a !!! MASSIVE PENALTY FINE !!! for not declaring an analytics cookie.
From the beginning I have made no claim to knowing a solution for the issues the Directive has placed before us. But I’ve read enough to know that it’s time to issue a plea for sanity. We need to find a way to talk about this law which doesn’t involve scaremongering threats of doom, gloom, and six-figure criminal fines. Let’s get to work.
Update 2014: two years after the implementation of the EU Cookie Law, there has been one small fine issued in Spain. It remains the only actual punishment levelled for the entire cookie law across the entire continent.