I’ve been on record a number of times saying that I think the EC Directives relating to cookies are fundamentally flawed. We could make a parallel with the current UK/EU Euro ‘situation’ but let’s not go there. In the UK the Information Commissioner’s Office (ICO) has a duty to enforce these directives and, as they say, “This isn’t going away. It’s the law.”

Yesterday the ICO released its updated guidance for UK website owners. You can download the PDF from the link in the news release. 

Given the tough task of interpretation, guidance and enforcement that is the ICO’s duty, I have to say that I think this document is a valiant and comprehensive effort given the task and I’d commend them for this. I would urge you to read it for the full details. It is clearly written and quite practical.

Below are some of my initial thoughts on reading this latest guidance.

Responsibility for educating users about cookies is being devolved to site owners.

My overriding feeling having read the report is that it is clear that whilst everyone, including the ICO, recognises that users don’t understand cookies (nor do they probably want to) and that there are, in my view and many others’, better solutions on the horizon (e.g. browser settings), we are about to hit a point where all website owners are going to have to deal with the inevitable pain of trying to educate users about cookies

I see no indication that any government, EU or national, or any particular body or association is going to take the (financial, mostly) responsibility to educate users at any scale. 

Indeed, it would be very hard to do so. However, there are parallels where this sort of task is being done e.g. the switch off of analogue TV in the UK which Ofcom is currently ‘marketing’ at scale. But the internet doesn’t deserve such treatment? 

So those of us who run sites are going to have to force it down our users’ necks and, maybe if we did it all at once, then the medicine will be bitter but swift and we can all move on. Maybe.

There are still some areas which appear near impossible for compliance.

The report mentions, almost in passing, that devices like mobile phones, internet-connected TVs and gaming consoles are covered by these directives and the same level of compliance is required as for websites. 

Not surprisingly the report doesn’t go into much detail as to how, practically speaking, you would be expected to implement such compliance on a mobile phone let alone a TV. It has got user experience train wreck written all over it. 

Also, third party cookies remain a nightmare from a compliance point of view. The report says ‘this is one of the most challenging areas’. You’re not wrong there. Even if one discounts the obvious challenges around cookies for third party analytics, targeting and so on, what about all those embedded YouTube videos, those embedded Slideshare presentations, not to mention any kind of widget, social log-in button, etc, all of which want to set cookies? 

The whole internet experience is becoming even more ‘networked’, embedded, atomised, API-ised. Trying to separate ‘first and third party’, even what constitutes a ‘single website’, is increasingly impossible. And, as with analytics tracking, there seems to be very little evidence to me that the users we’re supposedly ‘educating’ for some benefit really care or want these complexities explained.

Woah! The “that’s-going-to-be-interesting-to-see” bits

A few parts stood out for me that throw up a lot of big challenges:

  • Essentially it seems that whilst there is a lot of talk about ‘shared responsibility’ (= unworkable), it is site owners who have to take responsibility for informing their sites’ users about third party cookies. The report even suggests to those third parties that they write into all their contracts that it is the site owners’ responsibility to ensure their users are informed, and consent to, the third party cookies. So I assume the likes of Facebook, Amazon, Google, Apple etc. will all abrogate responsibility legally to the rest of us and it’ll be our job to explain what exactly Facebook is doing with cookies when our users log into our sites using Facebook Connect, for example? What fun.
  • Non-EU sites will still be expected to comply where there are EU users using their sites. I’m fascinated to see what the likes of Facebook and Amazon have to say about this. Amazon famously ignored pressure to adopt Visa’s 3D secure. Will the Americans laugh in the face of the EU? And if none of these sites comply then what will that mean for the rest of us who will be freaking out our users with these ‘unusual’ messages? And is everyone confident they can even accurately identify ‘EU users’?
  • ‘Device fingerprinting’ as a way of identifying a user is OK but cookies are not?! I’ve always thought that it has not been adequately clear what ‘personally identifiable information’ actually means. For me it means someone knows my name and where I live I guess. However, these Directives see cookies as ‘personal information’. I don’t. It seems, though, that device fingerprinting, is allowable. So are we just going to see a mass transition amongst tracking/analytics technologies away from cookies to device fingerprinting instead? Like the earlier moves from cookies to ‘Flash cookies’?

There are still plenty of grey areas or ‘loopholes’

Of course, I would not, could not, advocate site owners try to find ‘loopholes’ or ‘workarounds’. But it is necessary to try and see past the ‘could’, ‘might’, ‘in theory’ language that permeates this latest guidance to make decisions on what we actually do. 

The report does give a lot of very useful guidance on practical steps in section 10. None of this is that new and we have covered it before but it does outline the steps that organisations must take to be on the safe side of compliance. 

However, the grey areas or ‘loopholes’ that I noticed were as follows:

  • A distinction is made between ‘subscribers’ (those paying for the internet connection) and ‘users’, where the former’s preferences might take precedence. A single ‘subscriber’ in a household, therefore, might be able to determine cookie opt-ins on behalf of the whole household? More interestingly, in a work-based internet usage scenario, “… it would not seem unreasonable for the employer’s wishes to take precedence”. Given most usage of the Econsultancy site is at work, does this mean we’re a bit more exempt from compliance? (Intranets, by the way, are deemed to be exempt, at least by the UK’s ICO). 
  • It is allowable to ask consent for *all cookies you use at once*. Yes, you have to explain what all those cookies are and what each one/type does. But we all know that no-one reads those explanations. People see an annoying tick box thing and probably make a fleeting judgment on whether to proceed or not. If the main message here is “Consent to cookies so we can save your settings” and the detail contains “useful information on the benefits to you of behavioural targeting” then you can imagine you’ll get a lot of consent. If, on the other hand, the main message conveyed is “Consent so we can target you behaviourally… honestly it’s a good thing, and, in any case, you’re getting this for free so we’ve got to make money somehow…” you can imagine consent levels will be less good. So essentially it appears possible to use ‘Trojan Horse’ cookies to sneak the more ‘evil’ ones through in the small print. Clearly this absolutely isn’t in the spirit of the guidance but appears allowable.
  • In a similar vein to the above it appears you can retro-actively add new cookies, or alter the function of existing cookies, without re-seeking as explicit consent as you require the first time around. The language is vague here and clearly this would be a bit ‘sneaky’ but there is nothing explicit around requirements for re-consent if you change your cookies. We might see some ‘bait and switch’ cookie consent tactics going on?
  • It is pointed out that where users log into your site it should be relatively easy to ask them for consent to cookies. Though this will need to be done *separately and in addition to* your usual T&Cs. So I’m seeing two checkboxes rather than one. This seems reasonable. However, it is much harder to get consent from anonymous users. And it is now no longer acceptable to take the user’s browser settings as ‘implied consent’. However, if you show some kind of message or notice (that needs to be suitably ‘distinguishable’, ‘prominent’, ‘positioned correctly’) and the user neither consents nor disagrees i.e. takes no action at all (which seems very likely) then this can be taken as implied consent. So I suspect we’ll be entering an era where there is some mechanic/user interface which is deemed ‘prominent enough’, that users will likely learn to ignore, and that will be enough to comply for non-logged in users. This will be important for a lot of publishers.
  • “The level of consent required for any activity has to take into account the degree of understanding and awareness the person being asked to agree has about what they are consenting to.” Does this mean, for example, that Econsultancy’s user base of internet-savvy professionals would need a lower level of consent?
  • The “Google Analytics Exemption”? The final page of the report contains guidance on the use of analytical cookies. Whilst it is clear that analytical cookies (for many this means Google Analytics) are covered by the directives, the wording here suggests that if you are using such cookies in a “non-intrusive” way (and Google have always been *very careful* not to associate Google Analytics with any personally identifiable information – indeed you are not allowed to under GA’s terms of use) then “.. it is highly unlikely that priority for any formal action would be given…”.  I read that as “we’ve got better things to do than go after people using web analytics”’. 

I think it is clear enough what organisations need to do, albeit there are still areas of compliance that are going to be very problematic from a user experience viewpoint.

Those hardest hit are large media properties that have mostly anonymous users and rely on technology-driven targeting for advertising optimisation as these are deemed the most ‘intrusive’ cookies. However, there are a number of ‘get out clauses’ for these players, most obviously the surprising apparent allowance of device fingerprinting technology for user identification.

What do you make of it all? Which areas concern you most? Let us know in the comments below…