Privacy and cookie policy

Something to chew on: the ICO's vague cookie advice

by Patricio Robles 11 May 2011 11:00 6 comments Print

If the Information Commissioner's Office has its way, cookies will soon be a lot less tasty to website operators.

That's because on May 26, the rules governing the use of cookies on websites in Regulation 6 of the UK's Privacy and Electronic Communications Regulations 2003 will be updated in to require that a user "has given his or her consent" to the placement of a cookie in accordance with a new European Directive.

Is this the end of cookies as we know them? Fortunately, it isn't. Because this requirement would utterly upend the workings of many modern websites, naturally there's an exception. In an advice document, the ICO explains:

The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

Since "strictly necessary" could be construed in many ways, the ICO notes that this phrase should be interpreted narrowly.

As an example, "The exception would not apply...just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website".

Of course, "strictly necessary" is not cut and dry, even in this example. If a registered user of your website decides to save his or her preferences by clicking a button labeled as 'Save', wouldn't storing those preferences make it necessary to store them in some fashion? In this case, saving data via a cookie could reasonably be considered "strictly necessary" based on the user's behavior.

You're probably asking by now: forget about my cookies, what about third party cookies? The ICO and its EU overlords are still looking for "the right answers" around these, so the ICO "would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device." In other words, anything goes!

Which just about sums up the ICO's epic conclusion:

...we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do.

At the end of the day, even though the ICO says "you cannot ignore these rules," it's obvious the ICO isn't going to be able to follow up on every report of a rogue cookie. Much of the time, consumers can't even reliably discern what a particular cookie does, and the cookies that have the greatest privacy implications are the third party cookies nobody knows how to handle.

As a result, the new rule appears quite toothless. This, of course, is a good thing given how misguided the European Directive is in the first place.

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

Recommended reports

Cover for The EU Cookie Law: A guide to compliance

The EU Cookie Law: A guide to compliance

How to ensure that your website complies with the EU e-Privacy Directive

The EU Cookie Law report looks into the legal changes as they affect online businesses in the UK, the potential threats to online business models and the steps that companies could be taking now to demonstrate compliance with the EU ePrivacy Directive.

This guide explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, as well as showing some practical examples of how websites can gain users’ consent for setting cookies.

Cover for EU Cookie Law: The conundrum in numbers

EU Cookie Law: The conundrum in numbers

This infographic highlights the key statistics relating to the EU 'cookie law'. Two of Econsultancy's studies are included, which reveal what consumers and marketers think about cookies / the new law.

The EU e-Privacy Directive requires all UK website owners to amend their website by 26 May. Website owners have been mandated by Europe, and the ICO in the UK, to provide better guidance to visitors about how cookies are used.

The infographic includes stats and tips from Econsultancy's best practice guide 'EU Cookie Law: A Guide To Compliance'. 

Add your own

Reader comments (6)

  1. Avatar-blank-50x50 Rob Jackson

    11:18AM on 11th May 2011

    The ICO's own website has a 'Privacy Notice' link in it's footer which points to a description of what data GA collects. I'm personally going to follow what they do as what they say is so ambiguous it's useless.

    Considering the UK digital marketing industry turned over more than £4 billion in 2010 I see this as a severe government failure to protect one if it's key growth sectors.

  2. Avatar-blank-50x50 Jon Line

    3:28PM on 11th May 2011

    I will be personally checking the government's websites to make sure they obey the guidelines they have allowed to be imposed on everyone else.

  3. Ashley Friedlein Ashley Friedlein Staff

    CEO at Econsultancy

    11:12AM on 12th May 2011

    There's an excellent comment on this topic from Depesh at Tesco over in our forum - see http://econsultancy.com/uk/forums/best-practice/eu-cookie-ruling?page=1#forum_post_14291

    Definitely worth a read.

    I particularly enjoyed his point 7:

    "The funniest thing? Well if you visit a website and reject cookies, then each AND EVERY time you visit that website you will be prompted on whether to accept the cookie; how else would the browser or website know that you'd already said no?!!! This on its own is likely to lead most customers to (eventually) opt in for the sake of their sanity."

  4. Depesh Mandalia Depesh Mandalia

    Head of Digital at QualitySolicitors

    2:57PM on 17th May 2011

    thanks Ashley :-)

    The very fact we're still debating the uncertainty won't be lost on the 'enforcers' I'm sure; my key concerns are how consumers will react and the impact on the company castigated and made an example of if this really lands...

  5. Avatar-blank-50x50 Oscar Riera

    8:38AM on 19th May 2011

    @Ashley Friedlein: we'll this comment is not correct.

    If you ask the website not to track you with cookies for statistics (per example), then the website is allowed to put a cookie to store that (and only that), as it is strictly necessary for the service.

    That said (and this is my personal opinion), these cookies laws are completely insane and done by people who actually have no idea of what they're doing.

  6. Ashley Friedlein Ashley Friedlein Staff

    CEO at Econsultancy

    9:44AM on 19th May 2011

    @Oscar - yes, I guess you have a point there. However, I reckon users would be pretty confused about this whole area and would have no idea about what is 'strictly necessary' or not.

Log in to post a comment

Elearning - digital training Find out more
Advertise here »

Job of the week

Most popular posts this month

Top Jobs

Most commented posts this month

Popular blog tags (by posts)

View all tags »