Freedom of Information exposes the UK’s Cookie Law charade

cookie-button-b-flat-orange.ashxI don’t know if one “P Foomer” was in attendance at WordCamp UK 2012 when I exhorted my audience – only half-jokingly – to file Freedom of Information requests to get some real answers about the UK’s implementation of the EU Cookie Law. Whether he was there or not, P Foomer has done just that.

The response he received from the Information Commissioner’s Office is nothing short of a bullet through the heart of this law as it stands in the United Kingdom.

You can view the full outline of correspondence on What Do They Know, but I’m going to summarise the bottom lines here.

First, he asked how many sites have been referred to ICO for alleged non-compliance.
The bottom line is: 209.

Second, he asked how many sites have had multiple referrals to ICO for alleged non-compliance.
The bottom line is: 43.

Third, he asked how many web site owners ICO has contacted regarding alleged non-compliance.
ICO gave some PR mileage to the fact that they had contacted major web sites to enquire about their compliance intentions before the law went into effect (in other words, not because of actual non-compliance.) That number turns out to be 71.
As for how many of those 71 they have had to follow up with for failure to respond adequately, as opposed to actual non-compliance: 6.
In other words, the bottom line of how many web sites have been contacted for explicit non-compliance: none.

Fourth, he asked how many sites have been subjected to actual enforcement action for non-compliance.
The answer is: 0. ICO justify this figure on the grounds that they have “allowed websites this lead in period of one year from May 2011.” But that lead in period ended months ago. What’s up with that?

Finally, he asked how many full-time staff ICO has allocated to cookie law compliance and enforcement.
The answer is: 0. Existing staff have simply added it to their existing job duties.

So that is it. All that noise, all that hot air, all those patronising media spots, all those rule changes and moved goalposts, all those zealot software developers and scaremongering consultants, all those paranoid bloggers and overcomplying corporations –

all of that, for 209 web sites referred through a third party contact form.

All of that, for no enforcement action.

All of that for not one job created.

All of that for no percievable shift in public comprehension of personal privacy in the social media age.

All of that for no grand public rebellion against cookies and the information they store.

Out of millions of web sites in the UK, just 43 annoyed more than one person.




That is all.

During the lead-up to implementation – a two-year period in which ICO changed its published guidance three times – a conspiracy theory of sorts arose. It stated that ICO were as frustrated and annoyed with the EU Cookie Law as the rest of us. After all, this law fell simply into their lap as the designated UK government agency responsible for privacy compliance; it was not something that any politician or agency mandated on their own. The theory suggested that ICO was simply going through the motions, doing the bare minimum required and occasionally making a lot of pointless noise, to keep the EU happy. The boss is looking – everyone do something!

Based on the results of this FOI enquiry I could almost buy into that conspiracy theory except for one thing. Like you, I am also a UK taxpayer. We have paid the wages and salaries of the people who wagged their fingers at us about why this law was in our own interests, and then proceeded to shift it to the back burner. We paid the postage on all those compliance intention letters. We paid for the work that went into that ten-page snitching engine, the one where everyday Britons were asked to note the expiry time of the cookie which offended them so much. We have had to step in and fight call centre scammers pretending to be ICO when ICO themselves maintained a public silence.

Even if I did not agree with this law I still respected the law, the organisation administering it, and their responsibility to carry out this work.

What kind of work do you call that, then.


  1. An excellent rant, although I agree that ICO’s credibility, particularly after its infamous u-turn on implied consent announced the day before the 25 Sep 2011 ‘compliance deadline’, is just about rock bottom. Not that we should complain too much though, since that implied consent route (completely illegal of course in the context of what the Directive’s actual words require) has enabled most websites to do little other than display privacy policies in various degrees of usefulness.

    This whole area is a typical EU cat and mouse long game, with the EU realising its PECR implementation has been very patchy, inconsistent and imperfect. But Nellie Kroes and Viviane Reding are fighters, and their latest stance is to up the ante in talking about a future Regulation (as opposed to a wishy-washy Directive), so the goal posts will undoubtedly shift, and perhaps significantly, in the next 2 years or so.

  2. The shifting goalposts are something I noted in my WordCamp presentation. They will shift from two points: externally from the EU with the next round of regulations, and internally from the Home Office’s Communications Data Bill. Even if this law was the most easily implemented thing in the world, it is going to change anyhow, rendering all the work done to date an academic exercise in one way or another.

  3. This law makes Web users click anything that looks like a cookie warning, to hide it and get their screen space back. The warnings are easily imitated, so the main effect has been to create another way for hackers to trick people into clicking dodgy stuff.

    But I do like the following example, from
    “Rock Paper Shotgun uses cookies. For some reason we are now obliged to notify you of this fact. Not that you care.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s