Skip to main content

Cookie compliance letters from ICO

Phil Lee
Earlier this week news began to spread that David Smith, the Deputy Information Commissioner, had revealed at a press briefing that ICO would be sending out a letter to 50 organisations, about their Earlier this week news began to spread that David Smith, the Deputy Information Commissioner, had revealed at a press briefing that ICO would be sending out a letter to 50 organisations, about their cookie compliance strategy. According to one article we have read, Mr Smith refused to reveal the identity of those organisations, but the list has been published all the same.

Or, rather, it has and it hasn't.  We have been provided with working links to pages on the ICO website, that contain the list and the template for the letter, but its unclear how you actually access this from the ICO website itself.  Perhaps we have early versions of the links, or perhaps ICO has intended to "de-publish" the list. Whatever the position is, our links work. 

We're not going to publish the list or the links, but its contents are curious.  We cannot see an obvious theme in the list of names.  A friend has speculated that the list is of the 50 most visited UK websites, but that sounds unlikely when you see some of the names involved. 

Others speculate that the list is actually compiled from other lists of regulatory actions, investigations and inquiries held by ICO - in other words, the suggestion is that ICO may have written to organisations that it may perceive to have compliance problems in other areas of the law.  So, for instance, ICO might have written to controllers who are on the radar for security breach problems, or perhaps subject access problems - and so on.  This idea may have merit, seeing that ICO follows what it describes as a "risk based approach" to regulation; a risk based approach naturally means placing your resources where you perceive the most risk. 

Or, of course, the list may be entirely random

Anyway, this list reminds me of two other recent situations

Not too long back ICO was handling a Freedom of Information Act request, that sought information about data controllers and security incidents regulated by the PEC Regulations. ICO invited the data controllers to comment on whether their details should be revealed before making its decision

A little further back, there was another list circulating, which, I seem to recall, was a list of data controllers whom ICO have invited to participate in consensual audits.  That list was published and then later removed

Whatever the case may be, how the organisations named on the list will view their inclusion may depend on whether they are a "glass half full" kind of organisation, or a "glass half empty kind".  The glass half full organisation can say that it doesn't matter that they're on the list, because they've got a great story to tell about their cookie compliance strategy, so there is nothing to worry about. The glass half empty kind may say that while they've got a great story to say on cookies, they see a risk that their inclusion on the list may contain an innuendo, published to the world, to the effect that ICO sees them as having a wider compliance issue and as the cookie issue fades from importance, the innuendo may remain - and that may not be helpful

There is, of course, another kind of organisation; the one who actually wants to know how their name came to be included on the list and whether ICO's selection reflected on issues that are not strictly part of the current cookie compliance debate.  For those organisations, there are mechanisms that are available to them to understand the basis behind their selection

Oh, yes, there is another kind of organisation - the one that has not got a good story to tell on cookie compliance.  Now, if the basis behind their selection is some other compliance issue, they may have something to worry about.  For them, some very interesting questions arise.  These principally concern the legal status of the letter they have received and the legal status of the request for a response within 28 days.  What legal power does ICO rely upon when making the request for an answer?  Is ICO making any promises that the answers received "will not be used in evidence" against them, or is there a chance that the responses will provide a substantive basis for enforcement action?  For an organisation with these concerns, it would be wise to understand the legal parameters of what is actually going on.  Whether this is worth doing or not ultimately depends on how you read the letter. but like every letter, ICO's one ends with a signature.  And the signature is that the PECR Enforcement Manager

Makes you think...

(Posted on behalf of Stewart Room, Partner, Privacy & Information Law Group)

Sign up to our email digest

Click to subscribe or manage your email preferences.