The Information Commissioner’s Office (ICO) has imposed a new privacy law which will come to fruition this week, allowing them to fine companies who breach privacy regulations up to £500,000. As a result of the development, the ICO will write to the top 50 websites in the UK requesting information on how they have made their company’s processes compliant with their new regulations. Although it is not entirely clear how the top 50 will be defined, one of the confirmed criteria was the volume of site traffic. The websites in question will have 28 days to respond to the request.
Despite their targeting of these high profile sites, it seems that across the board the ICO will not be enforcing the law as strictly as some might expect. David Smith, the ICO’s deputy commissioner and director of data protection, has stated that the ICO is not “suddenly going to launch a torrent of enforcement actions”. He confirmed that there will be a level of flexibility, including the use of formal warnings before fines, and clarified that “It’s most unlikely that breaches of cookie requirements will meet the criteria that we have to satisfy before we can impose fines. It would have to be a serious breach and it has to be likely to cause substantial damage or distress to individuals”.
Although all online businesses should pay attention to the ICO regulations and take steps to ensure that their site meets the new privacy standards, many are said to be unsure or unhappy about the law, as the ICO has not definitely stated what they mean by compliant – leaving many businesses concerned that any measures that they take will be insufficient. However, whilst it is impossible to be completely definitive, there are some approximate guidelines which it is advisable for all businesses to follow.
The more intrusive the cookie is, the more likely it is that the company responsible will be penalised, subject a sliding scale of severity. Tracking cookies will be considered most intrusive, whereas analytic cookies are less likely to incur penalty. The ICO also advocates the use of a consent form, where users can opt to allow or disallow cookies for particular sites. It is hoped that once consumers are used to making this choice that the ICO can further advise businesses on their privacy practices, but ultimately they are hoping that the industry will take the lead in coming up with solutions.