Wondering how your business will address the new law that requires users to opt in to cookies? There's good news: you can procrastinate.
That's because the ICO, perhaps facing the reality that the new law is fatally flawed, has decided to give everyone amnesty (as the Telegraph calls it) for violating the law over the course of the next year.
According to the ICO's Christopher Graham, "We’re giving businesses and organisations up to one year to get their house in order." Translation: we're not sure how to implement or enforce this law, so please hold tight.
Which highlights the one big problem with the delay: the ICO really hasn't told companies how to get their house in order.
As I've noted before, the ICO has essentially punted on the issue of third party cookies, but those are the cookies that generally cause the greatest privacy concerns.
What is instructional is how the ICO has chosen to handle cookies on its website. If you go to http://www.ico.gov.uk/, you're now greeted with the following message:
On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set.
You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.
Below this message is a "I accept cookies from this site" checkbox and a Continue button.
Needless to say, this doesn't provide for the most elegant user experience and realistically, this sort of implementation isn't viable on a commercial site. After all, there's a good chance that visitors not opposed to cookies will not accept them because they don't see or understand the message.
So what should businesses do? Wait and see. The ICO isn't going to be enforcing its new cookie law for a year because it doesn't know how to.
As The Telegraph notes, the person who is responsible for implementing the cookie law has told worried advertisers and retailers, "there is no indication in the definition as to when that consent may be given, and so it is possible that consent may be given after or during [data] processing." Whatever that means.
At the end of the day, there is no indication that the new cookie law will ever be deciphered, and in a year's time, it's likely that everyone will still be at square one.
Reader comments (5)
12:29PM on 26th May 2011
The real complication comes around cookies for third party services.
What about Google Analytics Cookies? What about cookies from Affiliate Management companies like Affilate Window or TradeDoubler.
The new ruling states that you are allowed to have cookies that are essential to the running of the site. Do Affilate management cookies fall nto this essential class?
12:51PM on 26th May 2011
Whilst "do nothing" could be viewed as the right approach, fro me the farce of this directive has highlighted many things but one of them is that most websites probably do not comply with the old law - the need to provide information about cookies and a need to opt-out.
I'm of the opinion that the next 12 months is a good opportunity to assess how cookies are being used on our site, be more open about them and generally educate as to why not all cookies are bad.
If as an industry we site back and do nothing we will only have ourselves to blame if we get a bad law/enforcement guidance.
Is relying on a browser solution where we want to be? Could it result in our useful toys we rely on to improve websites (i.e.analytics) being thrown out with the bath water?
Webmaster
9:28AM on 27th May 2011
Interestingly, only Estonia and Denmark have fully implemented the EU ruling into their law. UK, France, Slovenia, Luxembourg, Latvia and Lithuania have partially implemented it.
The other 19 countries have not implemented it all. Seems like most EU countries are not too keen on a law their representatives in the EU parliament have thrust upon them.
The battle of the next year as the EU tries to make countries comply will be interesting to watch, as will any attempts by the ICO to enforce this here.
Interestingly, the Number 10 web site (http://www.number10.gov.uk/) has not complied, and is has Google Analytics cookies, as well as third-party cookies from Facebook & Youtube.
Unless all government sites comply, the court proceedings as the ICO try to enforce this could become an even bigger farce than this law!
Director at Watson Hall Ltd
10:12AM on 31st May 2011
I think the ICO has given guidance on what to be doing.
Trying to ignore privacy will be like trying to stop a large wave, and that's not just coming from the EU. Wait until the US FTC publish their advice. Some "head in the sand" organisations are clearly going to be casualties.
12:11PM on 4th October 2011
There is some guidance on the ICO website (link below) but it's not especially helpful.
In essence it says shopping basket cookies are okay, but pretty much everything else is not - and that includes analytics. For these you will need to get user opt-in.
NB: The EU ruling is technology agnostic, so it's not just cookies, any cunning technical solutions will still be covered by the law.
Browser-based solutions can help. But we all still see IE6 in our site stats so that's no magic bullet. There could be a lot of work here for a lot of companies, especially those that in the affiliate or display-ad sectors.
Finally it's worth noting that this is law in the UK now, and anyone not making efforts already can be warned by ICO. The 12 months is a lead-in period not a delay.
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/cookie_rules_prepare.aspx
Log in to post a comment