Insights into the ICO’s ultimatum on cookies from our head of consultancy
Louise Brooks is the head of consultancy at DQM GRC. She started her career in law, became the first compliance officer for Worldwide Fund for Nature, and joined the RSPCA as head of data protection.
Now, she advises organisations on the GDPR [General Data Protection Regulation], the PECR [Privacy and Electronic Communications Regulations] and other data protection laws, helping them fulfil their privacy obligations while continuing to meet their business objectives.
We sat down to chat to Louise about the recent ICO [Information Commissioner’s Office] statement giving the UK’s top websites just 30 days to make sure they comply with cookie laws. If they don’t, the Commissioner has threatened enforcement action.
So, the ICO recently released a statement that some describe as ‘getting tough’ on cookies. What do you make of that statement?
Well, obviously, as the regulator, the ICO’s job is to enforce the law. So when it addressed cookies at this year’s DPPC [Data Protection Practitioners’ Conference], by way of a few senior members of staff mentioning that organisations are demonstrating a “worrying” lack of compliance in meeting the ICO’s expectations around “fair and balanced choice” for people when it comes to cookies, I felt a bit sceptical.
The thing is, the ICO has been taking a relaxed form of GDPR ‘enforcement’ recently by issuing reprimands – 35 of them in the past year, to be exact – instead of more formal enforcement action, like issuing monetary penalty notices. In contrast, in that same period, it issued only one GDPR fine, and that was for a really serious breach by TikTok, involving children’s data.
I really do feel that the best way for a regulator to enforce a law is to issue fines or monetary penalty notices for non-compliance, but that’s not what the ICO has been doing, particularly when compared to its EU-based peers. These reprimands might have reputational consequences if the media picked it up, but otherwise do very little in my view.
However, this recent ICO statement is different, and very interesting. In effect, it’s an ultimatum. So when the 30 days are up, what will happen to those organisations still not compliant? Will the ICO stick to reprimands, or start issuing fines? That’s something we don’t know yet, naturally, but I’ll be watching intently.
You mention GDPR fines. What about PECR ones?
Historically, the ICO has been very, very good at fining for PECR breaches. We analysed those fines from the past 12 months in a blog last week, looking into things like the sectors targeted and the level of the fines.
However, all those fines were in the marketing arena – specifically, around unsolicited direct marketing, so things like sending marketing communications without consent. Not around cookies.
To me, that made the ICO statement/ultimatum even more interesting, because as far as I can see, the ICO has never really regulated much in this area. It has issued its PECR guide, but that’s pretty much where it stopped.
If the ICO does start issuing fines, do you think they’d be big enough to deter organisations from non-compliance?
It’ll depend on the organisation, but they may not be. Particularly not if the organisation’s business is data.
To give you an example, I was working with an organisation recently, conducting a GDPR gap analysis. At the time, that organisation was being investigated by the ICO for PECR breaches. But the potential fine my client was looking at was a drop in the ocean in relation to its annual turnover. So that fine won’t stop its business activity, though it did make that organisation rethink how to go about that activity.
Also, the organisation has challenged the fine, so it remains to be seen whether it’ll end up paying it, and if so, what the final level of that fine will be. And it’s really common to challenge fines. Organisations know that they can challenge any fine, so that’s precisely what they do – and I also think that it’s quite rare for any monetary penalty notice to remain unchanged.
To give you another example, a consultant colleague was recently conducting a GDPR gap analysis and cookie audit for a household retail name. That organisation told us that it knows that its cookie practices aren’t compliant, but it’s waiting for a bigger retailer to be fined first. Or to make the changes first. Until then, the organisation is happy to bear the risk, because it’s more important to that client to get the analytics data it’s collecting – which it isn’t obtaining consent for – than to be compliant.
Do you have more experiences with clients you can share?
Sure! One client that I’m working closely with at the moment internally classes its Google Analytics activities as ‘strictly necessary’.
Legally, of course, they’re not ‘strictly necessary’. But this organisation absolutely has to have this information due to its reporting obligations to its funders. So that’s an example of a business that has assessed those risks and concluded that it literally can’t function without that information. It simply needs that data, that evidence, to present to its funders if it is to retain their backing, without which the organisation simply wouldn’t exist.
This is also what this client is presenting to the board: the risk of not gathering the information through analytics cookies, without which it wouldn’t have the evidence to prove that it’s effective at what it does, far exceeds the risk of any fine for gathering that information.
I find it interesting to see this risk analysis happening in practice. It’s not uncommon for me to say to a client: ‘Look, this is what I think you should do to become compliant’, which that client then decides to not do due to its risk appetite. Also, these types of organisations, especially larger ones, often have the contingency funds to pay a fine, should they receive one.
You obviously understand why organisations are actively choosing not to comply, even if this goes against your own views as a privacy consultant. So how would you work with such clients?
I usually present things to clients as follows: ‘This is what the law says. This is the gap between what you’re doing and that law. And these are the changes I think you need to make to be compliant. However, given your operational circumstances of X, Y and Z, you may consider taking a risk-based approach, but you should be mindful of A, B and C.’
‘A, B and C’ might be, for example, the ICO’s recent statement, a recent fine, what the guidance says, and so on. And then I just leave it with the client! I just need to tell them what they should be doing to comply, but I understand that the organisation then has to weigh up the risk of making that change against the risks of non-compliance materialising.
Going back to the ICO’s statement, as it claims to have written to the organisations hosting the UK’s most-visited websites, that suggests that those are large organisations dependent on the data they collect via cookies. As you said, these aren’t likely to rethink their business model, even if fined.
Yes, which is why it’s so interesting to see what will happen next, after the 30 days are up.
Another thing that’d be very interesting to find out is if the ICO’s letters are sector-specific – retail, for example – as this would tell us what the ICO considers its main focus for addressing non-compliance.
I’m obviously not the only one in the industry thinking along these lines, as I’m aware of people on LinkedIn who’ve put in FOI [freedom of information] requests with the ICO, asking about which organisations it has written to, and exactly what the letters say. I don’t think the ICO has responded to any of them yet though.
So how can DQM GRC help organisations meet their cookie requirements?
We offer a comprehensive cookie audit service that broadly involves the following:
- Reviewing a cookie banner for compliance.
The audit is conducted based on an automated scanning tool and manual testing by our consultants, and the results are presented in a practical report that tells the client what its risks are and how to address them.
But I think that the real added value of what we do is our practical advice. I’d like to think that we’re unusual in that, because if someone goes to a law firm, nine times out of ten, they’ll simply be told: ‘This is the law, and this is what you need to do to comply’. We, on the other hand, try to be more practical and realistic about what compliance might look like for a specific organisation.
Also, we spend a significant amount of time with a client – often two or three days – and we have a really broad range of experience in the team. For example, I’ve got a lot of experience and expertise working with charities, while my colleague Mark James has that with religious and retail organisations. We’ve also done a lot of work with data brokers. There probably isn’t any sector or business area we don’t have experience in and this really helps us have an awareness of the likely environment a client operates in, and the type of risks it may face as a result.
In short, you’ll get an experienced consultant who’s going to tell you what your risks are, and give you practical advice and guidance on how to make changes, so you can meet your legal obligations without compromising your business objectives.
Plus, this advice is completely tailored to your organisation – here at DQM GRC, we’re all about tailoring our services to our clients so we can meet their specific needs. We recognise that every organisation is different, and that our offerings must reflect that.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. Please do leave a comment below to let us know what you think, and if you have any questions you’d like our experts to answer.
We’ll be back next week, chatting to another expert within the Group.
In the meantime, if you missed it, check out last week’s blog, where GRCI Law’s head of cyber incident response Cliff Martin gave us his expert insights into DORA incident management.
And if you want to find out more about our cookie audit service, and what our reports look like, please email email@example.com. We’ll be happy to answer any queries and send you a sample report.