I would be entirely sympathetic to anyone sending a letter similar to the one below to the ICO in response to a complaint about cookies.
Dear DCMS and ICO.
You gave us a delayed and loosely worded cookie law that missed the point of the wider privacy concerns completely. So if my response to your law is delayed, represents the loosest possible interpretation and doesn’t solve the wider privacy concerns, please don’t be surprised.
You asked us for a measured response to the law that is proportionate to the intrusiveness of the cookies we use. Almost all cookies are pretty benign, even the advertising cookies, and users’ browsers have had the ability to control cookies ever since they were invented. Our measured, proportionate response has therefore been to put a link to a brief and readable cookies policy in the header/footer. I’m fairly confident that this is all you expected us to do anyway, but it would have been nice if you’d just told us this eighteen months ago.
Whatever your views on the law are, it’s becoming increasingly clear that complying with it in almost all cases will be as simple as understanding what cookies you use, and having something on your site that tells people what you do with them. That’s it. Unless of course your cookies capture peoples’ medical details and then you flog that data to insurance companies. You might want a checkbox for that. Otherwise, I see nothing whatsoever to suggest that a footer link and some information is not enough. And “enough” is the key word. Why do more? By doing more you wouldn’t be helping yourself, and you certainly wouldn’t be helping your users.
We, as citizens, are not expected to unnecessarily over-comply with any other laws. We don’t drive at 60mph on the motorway when it’s clear. We aren’t expected to pay 4% stamp duty when we’re only in the 1% band. So don’t feel like you have to over-comply with the cookie law and remember the people who want you to over-comply are almost certainly the people trying to sell you something you don’t need.
Stupid little buttons and banners
As an enthusiastic user of the internet I am getting increasingly irritated and bored by stupid little buttons and banners asking me about cookies. As someone with a reasonably informed opinion about the cookie law I am dismayed that site operators think this is appropriate, meaningful or useful to anyone.
If web users start demanding stupid little buttons and banners, or if the ICO does fine someone for not having a stupid little button or banner, or if someone can convince me that stupid little buttons and banners somehow improve users’ control over their privcay then I will start recommending that site operators add stupid little buttons and banners to their sites. Until then, my advice (I’m not a lawyer etc.) continues to be do the least you can to comply with the law, in a grown up, non-churlish way and not put stupid little buttons and banners on your sites. Chances are your cookies aren’t intrusive enough to warrant anything other than a navigation bar link to an informative cookies policy page anyway.
Not a lot of regulation from the regulator
In the early days the ICO were keen to say that they expected industry to come up with sensible solutions to how to comply with this law. At the time I though how nice of them that was. Now I realise that guidance meant “We don’t know how to do this, you tell us”, to which I respond “No, you’re the regulator, so regulate. If you’re serious about the actual privacy concerns (and you should be) give us a serious law to comply with.” Christopher Graham, the Information Commissioner said that he “had teeth and was willing to use them.” So far he’s written a nice letter to fifty companies, there haven’t been any fines, they don’t respond to complaints via their complaints tool and they don’t even respond to scammers imitating them. We’ve seen no evidence of Christopher Graham’s teeth and I hope that’s because he’s got them sunk into more important things.