MailOnline cookie complaint inaction fuels new ICO row

The Information Commissioner’s Office has found itself at the centre of a new storm over its inaction on online tracking, triggering claims that the regulator’s failure to enforce the basics of the law is both “harmful and an embarrassment” and that it is more interested in “PR fluff pieces”.

The case centres around a complaint filed by Mishcon de Reya senior data protection specialist Jon Baines back in September.

Acting in a personal capacity, and published in the form of an open letter to Information Commissioner John Edwards, Baines exposed how Daily Mail website MailOnline, which boasts 24.7 million monthly unique visitors, fails to offer readers a “reject all” option to opt-out of cookies.

In the letter, Baines wrote: “I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to opt out of receiving cookies on the website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.”

Baines also cites a number of recent examples of the ICO insisting it will take tough action, including issuing fines, for non-compliance of the legislation, under Article 77 UK GDPR and regulation 32 of PECR.

His letter concludes: “Of course the website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action.”

However, the ICO has rejected the complaint. In a statement it said: “Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.”

But data protection experts have now waded in to the issue on LinkedIn, one wrote: “John Edwards’ office’s commitment to not enforce the basics of the law nor uphold individual rights is harmful and frankly an embarrassment. The fact that we have to fight for them to do their job, rather than them doing it proactively is a ridiculous state of affairs.”

Meanwhile another said: “As someone who has raised a number of complaints about online tracking with the ICO, their response is not unexpected, however appalling it is. I have had to challenge a number of responses from the ICO. They just don’t seem interested despite the rhetoric of their PR fluff pieces.”

The move follows accusations that the ICO has lost its appetite for issuing fines after it blamed “limited resources” for dropping its investigation into EasyJet’s 2019 mass data breach – one the biggest ever cyber attacks.