We’re now well past the UK grace period for cookie compliance. But what are companies actually doing about this? Are their “houses in order” as required by the UK Information Commissioner’s Office (ICO). The ICO’s introduction of a new cookies banner on its website is a good time to take stock.
The best source information is contained in the ICO Activity Report published on 18 December 2012. The majority of sites that the ICO looked at rely on implied consent and the inclusion of clear information on cookies used. In other words: the classic banner or pop up plus a cookies policy.
What about user perceptions? Well, it seems that cookie compliance was relatively low on the consumers’ radars with 550 reported concerns. Consumers were much more concerned about unwanted marketing (the ICO received 100 times more complaints about unwanted marketing communications in the same period). Paradoxically (but perhaps not unsurprisingly), some users actually complained about the detrimental effect the rules were having on the usability of the websites.
Otherwise complaints fell into two categories, with consumers being unhappy with:
- implied consent mechanisms (84% of respondents thought the mechanisms were inadequate); and
- the level of information given about cookies generally (54% of respondents considered that no information about cookies had been given).
Between October and December 2012 the ICO also conducted visual audits of some 207 websites about which complaints had been received finding that:
- 43% had taken steps to comply (in our view a “nod” from the ICO that it looks “ok”);
- 33% had taken limited steps to comply (in our view, an implicit ICO criticism);
- 23% appeared to have taken no steps to comply! (in our view, an explicit ICO criticism).
The ICO then gave four examples of websites that it considered had taken significant steps to comply (implicit in this is that they had done a decent job)
So we’re increasingly clear on what the (not so new) rules require in practice. The new ICO banner now reflects this pragmatic market practice. Enforcement risk remains of course.