The effects of the new cookies laws

On 26 May 2011, the rules about the use of cookies and similar technologies were changed. The change was prompted by amendments to the EU’s Privacy and Electronic Communications Directive. Although several weeks have passed since the change, few websites comply with the new law, and confusing guidance from the UK and EU data protection authorities has left website owners scratching their heads.

What the law says

The old rules on cookies said that you had to tell users what cookies were doing, why they were there, and how users could opt out of receiving them. The usual practice was to provide this information in a privacy policy. The new rules (quoted in full at the end of this post) require that websites obtain a user’s consent before using cookies. There is an exception to this new rule: if a cookie is strictly necessary for “the provision of an information society service requested by the subscriber or user”, then consent will not be needed before the cookie can be placed on the user’s computer. However, the Information Commissioner has indicated that this exception will be interpreted narrowly.

Methods of getting consent

One area of confusion concerns the question of consent. Widely discussed possibilities include the use of browser settings, the use of pop-ups, consent incorporated into T&Cs acceptance, and the approach taken by the Information Commissioner’s Office (the ICO).

Browser settings

The Directive and implementing Regulations appear to allow web businesses to rely upon browser settings, but both the UK and EU authorities have indicated that current web browsers do not effectively enable consent. There is a UK government-formed working group tasked with finding a technical solution to the consent issue. With industry-leaders like Microsoft, Mozilla, Apple, Google, Yahoo and Adobe on board, the authorities appear to be hoping that the problem will be solved without further legislation. However, if the position of the authorities is right, and current browser settings are insufficient, then taking into account the fact that many users continue to use outdated browsers (5% of this site’s visitors use IE6, released in 2001), browser setting may never be a complete answer. Further, its not entirely clear what changes to browser settings would lead to compliance. More granularity may mean more confusion.

Pop-ups

The consent requirement could be implemented by means of a pop-up box that asks new users to consent to cookies. Some of the problems of this approach are obvious. Most importantly, this type of feature will ruin the usability of the website: unless used very carefully, pop-ups are inherently offensive to most users. And how will the website remember users who have opted-out (without using cookies)? Will they see the pop-up on every visit? Where many cookies are being used (as on most modern websites), how can users realistically differentiate between the cookies and their different functions? Will the average user even understand the reason for the opt out procedure?

T&Cs

Where all users have to consent to website T&Cs, cookie consent can be incorporated into this process. However, the demands of usability mean that sign-up processes should be kept to a minimum, and this option will only be a solution for a small number of websites (Facebook, anyone?).

The ICO approach

One approach is to follow in the footsteps of the ICO itself. If you visit www.ico.gov.uk, you will see a banner across the top of the page asking for cookie consent. But look closer: the banner also highlights a key issue with the new law. Modern websites with interactive functionality don’t function properly without cookies. Given that many users (e.g. EU legislators and regulators) may not fully understand the importance of cookies, there is a risk that many users will refuse their use, without necessarily reading the explanatory text. Another problem – the potential of the new law to make cookie-based analytics systems (such as Google Analytics) worthless – has been highlighted by researcher Vicky Brock. The results of her freedom of information request concerning ICO usage statistics after the implementation of the consent banner make very interesting reading.

No enforcement for 12 months

Unusually, the Information Commissioner has announced that these new laws will not actually be enforced for 12 months. The purpose of this grace period is to enable website owners to review their use of cookies and to start thinking about how they will comply with the revised laws come May 2012. But the Information Commissioner has also stressed that he will not tolerate operators who ignore the changes or refuse to take action.

Reaction to the new laws

Few informed commentators have much praise the new laws. At the time of writing, almost no UK websites have made changes to comply (the ICO site is the only one I’ve come across that wasn’t in jest, although I haven’t systematically searched). The fact is that many if not most UK websites using cookies didn’t comply with the old law, and it’s hard to believe that the level of compliance is going to increase significantly now that it is much harder to comply.

Any chance of new new laws?

Less than one third of EU countries have complied with the Privacy and Electronic Communications Directive to date, and the UK has said it won’t enforce the law for now. Surely policy makers realise that there is a serious problem with the new laws? A more targeted (and perhaps less technology-neutral) approach may be necessary to deal with the real problem of data misuse. However, at the time of writing there is no sign of any plans to amend the Directive or Regulations.

***

Regulation 6 of the Privacy and Electronic Communications Regulations (as amended) is quoted below:

(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment– (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. (3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. (3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information—(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.