The EU, Cookies And That Pesky Law

04 Jun 2012 by Gordon
Comment
Cookie Monster and the EU flag

C'mon, of course we were going to use the Cookie Monster...

Just over a week ago, on 26th May, the year long grace period for web sites within the UK to comply with the amended cookie directive, EU legislation that came into effect in 2011, passed. Since that date, every web site within Europe, by law, has to not only provide clear and comprehensive information about cookies but obtain consent (more on this later) before storing them, a situation that’s left most web site owners confused, most web developers very annoyed, and no doubt our American friends from across the pond chuckling away at our ridiculous predicament.

Now, I can’t say that I harbour particularly strong political views (other than my own special theory on the perfect blend of Communism and Capitalism, naturally) but my mind does boggle sometimes at the laws and legislations discussed or passed by governments regarding either our privacy or the Internet or, worse, both. One day we’re being told to buy into the idea of identity cards and full body scanners that invade our privacy and the next we’re being told to confirm to a severe rule about cookies in order to protect it.

“It’s difficult to imagine that non-compliance with the cookie rule is ever going to trigger a situation in which we would be able to issue a monetary penalty.”

Dave Evans, Group Manager, Information Commissioner’s Office

I do understand (and even appreciate) the sentiment behind this updated cookie law but, personally, I find it’s implementation unnecessary and heavy-handed, potentially damaging to businesses in a time of economic fragility. Plus, the reality is that it’s going to be impossible to pull off, both technically (even embedding a YouTube video on a site now without prior consent is potentially a no-no) and logistically considering it doesn’t even affect most of the biggest players out there. I mean, if you want to see someone who likes to mess around with people’s privacy then look no further than Facebook… and this new cookie law isn’t going to change that in the slightest.

Fortunately though, the Information Commissioner’s Office is being very sensible and rational and made a last minute alteration to the law in order to allow implied consent, implied being the magic word which allows one to assume that if a user browses a site, they are accepting its terms of use. Kind of. It’s all a bit vague.

“The Information Commissioner recognises that gaining explicit opt-in consent for analytics cookies is difficult and that implied consent might be the most practical and user-friendly option.”

ICO Cookies Guidance document

Likewise they are also being quite pragmatic in their approach to enforcing the law and also in what they consider reasonable action to be taken by web site owners. Not only do they pretty much admit that they will never actually ever issue a penalty to anyone who isn’t willfully disrespecting the legislation but, quite rightly, they surmise that it’s more about following the spirit of it than anything else. It looks like that if you only use unobtrusive first party cookies such as for analytics and are open, honest and abundantly clear in your usage of them, then you’re all good. Of course, anything more intrusive will likely require further action, such as obtaining active consent.

No doubt part of this decision was made because the ICO realised how impractical the law is and partly because a lot of the other EU members states haven’t done anything about it yet. Whilst us ol’ Brits are being good and diligently conforming to European legislation, countries like Germany and Italy don’t seem to be particularly bothered about it. Or rather, perhaps they’re far too busy dealing with more important concerns like, y’know, the Euro crisis.

“It is likely to be more difficult to obtain consent for this type of cookie where you do not have any direct relationship with a user – for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link).”

ICO Cookies Guidance document

And whilst it may sound like I’m not particularly in favour of this cookie law (I don’t think most people are), I do appreciate the ICO’s stance on the matter and respect the way they are handling it. Matter of fact, I also wholeheartedly agree with what both they and the law in general is trying to achieve – I think educating users about cookies, giving them more knowledge and generally making the way cookies are handled more transparent is a good idea. Being forced to spam large consent banners across every single web site willy-nilly, not so much.

So now that we’ve discussed the law, how exactly is Primate going to be responding to it? Well by following it, obviously. We’re in the process of rolling out updates across our sites that only implement unobtrusive analytical cookies to place noticeable, and appropriately worded, links to information about the cookies used along with how and why they are there. For any of our sites that use more complex or obtrusive cookies, we’ll be reviewing them on an individual basis and taking further decisions on how best to not only inform the user but conform to the cookie law, requesting active consent if necessary.

If you want to get more advice and guidance from the ICO about the whole cookie debacle then you can check out this article over on their blog. The little note above the YouTube video made me chuckle.

If you liked this article then why not subscribe to our RSS feed.

Author: Gordon McLachlan

Gordon is uncomfortably good looking.

Comments

Leave a Reply