If the Information Commissioner’s Office has its way, cookies will soon be a lot less tasty to website operators.
websites in Regulation 6 of the UK’s Privacy and Electronic
Communications Regulations 2003 will be updated in to require that a
user “has given his or her consent” to the placement of a cookie in
accordance with a new European Directive.
Is this the end of cookies as we know them? Fortunately, it isn’t. Because this requirement would utterly upend the workings of many modern websites, naturally there’s an exception. In an advice document, the ICO explains:
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.
Since “strictly necessary” could be construed in many ways, the ICO notes that this phrase should be interpreted narrowly.
As an example, “The exception would not apply…just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website“.
Of course, “strictly necessary” is not cut and dry, even in this example. If a registered user of your website decides to save his or her preferences by clicking a button labeled as ‘Save‘, wouldn’t storing those preferences make it necessary to store them in some fashion? In this case, saving data via a cookie could reasonably be considered “strictly necessary” based on the user’s behavior.
You’re probably asking by now: forget about my cookies, what about third party cookies? The ICO and its EU overlords are still looking for “the right answers” around these, so the ICO “would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.” In other words, anything goes!
Which just about sums up the ICO’s epic conclusion:
…we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do.
At the end of the day, even though the ICO says “you cannot ignore these rules,” it’s obvious the ICO isn’t going to be able to follow up on every report of a rogue cookie. Much of the time, consumers can’t even reliably discern what a particular cookie does, and the cookies that have the greatest privacy implications are the third party cookies nobody knows how to handle.
As a result, the new rule appears quite toothless. This, of course, is a good thing given how misguided the European Directive is in the first place.