The Information Commissioner’s Office has found itself at the centre of a new storm over its inaction on online tracking, triggering claims that the regulator’s failure to enforce the basics of the law is both “harmful and an embarrassment” and that it is more interested in “PR fluff pieces”.
The case centres around a complaint filed by Mishcon de Reya senior data protection specialist Jon Baines back in September.
Acting in a personal capacity, and published in the form of an open letter to Information Commissioner Jon Edwards, Baines exposed how Daily Mail website MailOnline, which boasts 24.7 million monthly unique visitors, fails to offer readers a “reject all” option to opt-out of cookies.
In the letter, Baines wrote: “I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to opt out of receiving cookies on the website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.
Baines also cites a number of recent examples of the ICO insisting it will take tough action, including issuing fines, for non-compliance of the legislation, under Article 77 UK GDPR and regulation 32 of PECR.
His letter concludes: “Of course the website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action.”
However, the ICO has rejected the complaint. In a statement it said: “Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.”
But data protection experts have now waded in to the issue on LinkedIn, one wrote: “John Edwards’ office’s commitment to not enforce the basics of the law nor uphold individual rights is harmful and frankly an embarrassment. The fact that we have to fight for them to do their job, rather than them doing it proactively is a ridiculous state of affairs.”
Meanwhile another said: “As someone who has raised a number of complaints about online tracking with the ICO, their response is not unexpected, however appalling it is. I have had to challenge a number of responses from the ICO. They just don’t seem interested despite the rhetoric of their PR fluff pieces.”
The move follows accusations that the ICO has lost its appetite for issuing fines after it blamed “limited resources” for dropping its investigation into EasyJet’s 2019 mass data breach – one the biggest ever cyber attacks.
ICO blames limited resources as GDPR action dries up
Online firms face pincer attack on dodgy data tactics
ICO issues cookie warning despite looming law overhaul
Ministers urged to get ICO enforcement back on track
EasyJet ‘slap on wrist’ shoots down £18bn class action
ICO and Irish DPC ‘among the worst GDPR enforcers’
‘Chicken’ ICO kicks adtech investigation into long grass