The cookie law is ‘dead’
ICO reverts from asking for consent to merely stating cookies are used
The decision by the Information Commissioner's Office (ICO) to stop asking for explicit permission to serve cookies has been cited as the death of the cookie law.
Last year we reported on the EU cookie law after software company Silktide launched a protest site and subsequently predicted that the law was doomed to die.
In a blog post, Silktide MD Oliver Emberton cited the ICO's policy changes, saying that the law is “dead at last”.
The ICO is responsible for policing the UK’s cookie law and claims the new rule change remains consistent with its own guidelines. The ICO adds that people are now more aware of cookies. Therefore, it's “appropriate [to] rely on a responsible implementation of implied consent”.
We spoke to Emberton about the law and the ICO’s new direction regarding cookies.
.net: So does this new advice mean the law is effectively dead and the industry and clients have wasted piles of money on a pointless episode?
OE: Pretty much. All the complex solutions, which actually blocked certain cookies and so forth, were a waste. The panic, meetings and audits were certainly a waste. The people who simply put a cookie page up apparently did the right thing.
All that energy was directed at interpreting a confusing and counter-productive law instead of actually making changes that could help people's privacy. As most people don't know what cookies are, banners saying, "we use cookies" are pointless.
.net: But does the ICO’s change mean the law is officially dead, or will the ICO change its mind again, and go after web devs who don’t display massive cookie banners asking for consent?
OE: I'm 99.9 per cent sure. We know the regulator's website will be using opt-in, a decision I'm sure they didn't take lightly. We know they say that this approach is legal — now — because "many more people are [now] aware of cookies". We know that they're glacially slow to react, and have been exceedingly light-touch in enforcement, writing a handful of letters to Google, Facebook, and so on, congratulating them for having cookie pages. I think it's clear at this point they've no appetite for the law they've been asked to enforce.
.net: So what would you now recommend devs and designers do regarding cookies?
OE: We now know the ICO audit process is purely ‘visual’, judging websites based entirely on whether they look like they're complying. There's no inspection of cookies, or code, or what the site does. Presumably such an audit hasn't a clue about, say, Facebook using cookies in its Like buttons. All they're looking for is something like a cookie banner or link to a cookie page.
So my advice is to create a cookie page that explains what cookies you use (like everyone did back in 2009), and link to that in your footer. If complaints became a problem, the ICO would write politely to you, and you may make your link more prominent. It's a farce, but that seems to be all they're looking for.
4 comments
Comment: 1
The law is far from dead, the ICO are simply removing explicit consent from their messaging as implied consent was the allowed change at the 11th hour. They are still complying and are not removing the messaging from their website so users are still aware.
Yes the law is silly, providing a page about which cookies are used on a website should be more than enough but just because one person’s views are that it’s now all over does unfortunately not make it true.
Comment: 2
However, anyone looking at the new ICO site will see that they still provide functionality to prevent the site using cookies, without relying on a blanket 'delete all your cookies in your browser' approach.
What the ICO has actually done with this change is provide a new reference model for people to comply - and shown the what they expect implied consent to consist of.
This is great for site owners - they can now follow the ICO's concrete example and know that they will be compliant with the law.
Conversely, any site that does less than the ICO is at higher risk of being seen as non-compliant. That does not mean that they are immediately going to be fined, but it does expose them to the possibility of complaints and enforcement. This is something that many site owners would rather play safe on.
Comment: 3
To give the ICO their dues, they were never that enthusiastic about the PECR Directive: in my view, every message from the ICO has demonstrated reluctant compliance. The last thing the ICO needs to regulate in a digital society where privacy is threatened at every juncture, is having to police innocuous cookies!
The law is not dead. Parliament is not going to amend the law just because the ICO has taken a more sensible and compliant approach. I am not saying this because I am a lawyer - website owners should still make an assessment about the appropriate level of compliance taking into account the nature of their websites and the intrusiveness (or perceived intrusiveness) of the cookies the use.
Comment: 4