For at least the past year, the ICO has maintained that its enforcement of the “cookie” law will be complaint-led, but in the past week it has fired of what have been described as “nasty letters”.
With just days to go before the expiry of the year of grace the ICO gave UK organisations to comply with the law, the ICO appears to have changed tack.
Just last month, the information commissioner Christopher Graham said the ICO would be responding to complaints about organisations that are not following the rules, but now it is issuing letters, giving high-traffic websites 28 days to show what they are doing to comply.
From 26 May 2012, websites need to obtain users’ opt-in consent first if they want to install cookies that pass on information about browsing activities to third parties, or risk action by the ICO either in the form of a monetary penalty, or more likely an enforcement notice.
Why in the final days of the grace period, has the ICO switched from the complaint-led approach to what is tantamount to a far more aggressive from of sabre-rattling? Is this an attempt to catch a high-profile website with its pants down so the ICO can whip it into line as an example?
By the weekend deadline for UK organisations to comply with the cookie law, the ICO says it will publish on its website the template of the letter it has sent out as well as the names of the 50 high-volume websites that were targeted.
Assuming that all will be revealed, the question remains: Why is the UK the only EU member state that is demanding to see what website owners are doing to comply with the cookie consent requirement of the PECD?