UK—ICO Ramps Up E-Privacy Enforcement, but Assesses Cookie Threat As “Low”
By Brian Davidson, CIPP/E
The Information Commissioner’s Office (ICO) has recently updated the enforcement section of its website, highlighting that whilst data security breaches continue to be a significant area of focus for the ICO, breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) will also figure highly in the ICO’s future enforcement agenda. In this regard, the ICO says that it has already been active in the areas of “spam texts,” sales calls and cookies.
Spam texts are identified as "one of the biggest concerns to consumers"—in particular texts about accident and Payment Protection Insurance claims—and the ICO refers to its cooperation with the mobile phone industry to identify one organisation that is now the subject of enforcement action. The ICO also identifies “live” and “automated” sales calls as other areas of priority and has explicitly identified—and published—the names of a number of companies with whom it is discussing compliance issues or who it is actively monitoring with a view to possible enforcement. In this respect, the ICO is actively working with the FTC in the U.S. and with other regulators based in Ireland, Belgium and Spain through regulatory cooperation arrangements.
The ICO says that between January and March, it received a further 87 reported concerns via its website from individuals about cookies, far fewer than the amount of complaints about unwanted marketing communications. The ICO plans to continue its focus on those websites that do nothing to raise awareness of cookies or obtain users’ consent and also on those sites that it receives complaints about or which are most visited by consumers. However, the ICO believes the threat to consumers is “low” in this area due to the low level of concerns reported.
Recently, the ICO has been going through its most prolific period of enforcement activity. By the end of 2012, it had imposed 25 fines, issued three enforcement notices, secured six prosecutions and obtained 31 undertakings. 2013 looks set to bring a similar level of enforcement activity. In March, for example, the ICO issued its first monetary penalty for a serious breach of PECR relating to live marketing calls, a £90,000 fine for Glasgow-based DM Design.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.