I don’t know if one “P Foomer” was in attendance at WordCamp UK 2012 when I exhorted my audience – only half-jokingly – to file Freedom of Information requests to get some real answers about the UK’s implementation of the EU Cookie Law. Whether he was there or not, P Foomer has done just that.
The response he received from the Information Commissioner’s Office is nothing short of a bullet through the heart of this law as it stands in the United Kingdom.
You can view the full outline of correspondence on What Do They Know, but I’m going to summarise the bottom lines here.
First, he asked how many sites have been referred to ICO for alleged non-compliance.
The bottom line is: 209.
Second, he asked how many sites have had multiple referrals to ICO for alleged non-compliance.
The bottom line is: 43.
Third, he asked how many web site owners ICO has contacted regarding alleged non-compliance.
ICO gave some PR mileage to the fact that they had contacted major web sites to enquire about their compliance intentions before the law went into effect (in other words, not because of actual non-compliance.) That number turns out to be 71.
As for how many of those 71 they have had to follow up with for failure to respond adequately, as opposed to actual non-compliance: 6.
In other words, the bottom line of how many web sites have been contacted for explicit non-compliance: none.
Fourth, he asked how many sites have been subjected to actual enforcement action for non-compliance.
The answer is: 0. ICO justify this figure on the grounds that they have “allowed websites this lead in period of one year from May 2011.” But that lead in period ended months ago. What’s up with that?
Finally, he asked how many full-time staff ICO has allocated to cookie law compliance and enforcement.
The answer is: 0. Existing staff have simply added it to their existing job duties.
So that is it. All that noise, all that hot air, all those patronising media spots, all those rule changes and moved goalposts, all those zealot software developers and scaremongering consultants, all those paranoid bloggers and overcomplying corporations –
all of that, for 209 web sites referred through a third party contact form.
All of that, for no enforcement action.
All of that for not one job created.
All of that for no grand public rebellion against cookies and the information they store.
Out of millions of web sites in the UK, just 43 annoyed more than one person.
That is all.
During the lead-up to implementation – a two-year period in which ICO changed its published guidance three times – a conspiracy theory of sorts arose. It stated that ICO were as frustrated and annoyed with the EU Cookie Law as the rest of us. After all, this law fell simply into their lap as the designated UK government agency responsible for privacy compliance; it was not something that any politician or agency mandated on their own. The theory suggested that ICO was simply going through the motions, doing the bare minimum required and occasionally making a lot of pointless noise, to keep the EU happy. The boss is looking – everyone do something!
Based on the results of this FOI enquiry I could almost buy into that conspiracy theory except for one thing. Like you, I am also a UK taxpayer. We have paid the wages and salaries of the people who wagged their fingers at us about why this law was in our own interests, and then proceeded to shift it to the back burner. We paid the postage on all those compliance intention letters. We paid for the work that went into that ten-page snitching engine, the one where everyday Britons were asked to note the expiry time of the cookie which offended them so much. We have had to step in and fight call centre scammers pretending to be ICO when ICO themselves maintained a public silence.
Even if I did not agree with this law I still respected the law, the organisation administering it, and their responsibility to carry out this work.
What kind of work do you call that, then.