The cookie law is "doomed to die"

By Craig Grannell on | 5 comments

Silktide MD blames low understanding and policy U-turn

The cookie law is "doomed to die"
According to Silktide's MD, the cookie law is doomed

Earlier this year, .net reported on the EU cookie law and the UK’s interpretation of it, along with a protest site created by Silktide, aiming to reverse the legislation. Since that time, various arguments have erupted online regarding what people have to do in order to make their sites compliant, something further confused by the Information Commissioner's Office (ICO) doing something of a U-turn at the eleventh hour.

Silktide MD Oliver Emberton has now released a new video about the cookie law, entitled 28 Days Later, reporting on the shambles. He told .net: “Enough time has passed since the law came into effect to draw some conclusions, so we decided to measure what real sites were doing. The results were so shocking we had to share.”

Emberton said that he’s met with a lot of organisations to discus the cookie law, and “generally awareness is high but understanding is low”. Typically, companies disagree internally about what to do, with many opting for a wait-and-see approach. Those that do something opt for what they perceive to be the absolute minimum, according to Silktide’s research: 76 per cent of sites simply added a link to a cookie policy.

According to Emberton, this isn’t what the law intended, but that’s where it’s headed: “It’s unpopular and without clear benefits or penalties. Laws like that don't tend to fare well in real life. It's a bit like making it illegal for people to tape songs off the radio – you're fighting human nature. It may simply be unenforceable.” Furthermore, Emberton noted in his video that the complaints procedure is overly complex; and although the ICO has claimed it’s received hundreds of complaints, Emberton told .net “that is actually an exceedingly low figure, given 95 per cent of UK sites – millions of websites – are likely violating the law. The ICO has made it extremely hard for any 'normal' person to raise a complaint.“

His advice to most web developers now is just to include a link to cookie law policy on every page, since in the “impossibly unlikely event that the ICO pursues a complaint, that demonstrates you're 'working towards compliance’”. Emberton told us he recognises this is a “sham” and does “almost nothing for the spirit of the law,” but added that it’s unobtrusive and covers the risk for most organisations. “If you're corporate or public sector you might want to go further, but apparently it's good enough for Amazon and DirectGov!”

5 comments

Comment: 1

UrbanFuturistic
I still maintain that the ICO has done a pisspoor job of explaining this law, it took me several readings of the original para. in the directive and a lot of other reading around to actually understand what is/is not exempt.

From what I understand, for a law to be actually legal a person must be able to understand when they are breaking that law. Never mind enforceable, until the ICO pull their finger out and give a comprehensive (comprehensible?) explanation as to WITF is actually required the law itself is on shaky foundations. First it needs to be made understandable (which I believe it can), then it needs to be made doable by all the thousands of webdevs who aren't writing their own CMS's but use CMS's which don't care about EU directive compliance or we'll be seeing the argument that it's an undue burden on the business (which it currently is).

Comment: 2

I have to disagree with the analogy of taping off the radio - that is about businesses being heavy handed with consumers.

The cookie law is all about consumer protection from businesses, their gathering data on the quiet, and without consent.

The law may be unpopular with businesses that rely heavily on such data - but that is no good reason to try to kill it off.

That is more like saying that banks don't like regulation that protects consumers - so we shouldn't have that either.

Online advertising, which of course is the core of what this is about, is currently based on a business model that relies on the ignorance of consumers - and that cannot be right, or sustainable in the long term. As the banks are now finding out.

What the cookie law is really about is transparency - making people aware of the reality, and giving them a choice. I am not against online advertising - I appreciate that I get a lot of free content as a result of it. But I am not happy that so much goes on without my consent, knowledge or simple control.

I can clear out my cookies in my browser (though of course many don't know they can), but that often means throwing out the bad with the good. Give people choice and control up front - and this will lead to a transparent exchange of services for data. Which results in the long term with both improving.

The ICO could do much more to enforce, without getting heavy handed - by pointing the way towards the best practice that they would like to see more of. And maybe slapping down a few of the more shoddy attempts to make it look like a site is trying to comply, withouth actually bothering.

I think it is still to early to say they won't do that. And it is still too early to say that consumers won't demand better choice in time.

Comment: 4

@richardbeaumont has some very valid points and views that I share as well . Consumer protection is the key here.

Yes, it does mean more work to make your sites compliant, but we can't rubbish the Cookie law because it means more work for us.

We tend to moan about Social networks misusing our information/violating Privacy from time to time, yet when the coin is turned, we think otherwise. Crazy !

Comment: 5

UrbanFuturistic
I'm not rubbishing the cookie law, I'm rubbishing the way in which it has been introduced and explained. I'm aware of too many people in industry working in small shops, just two or three people, who rely heavily on others' code because they're not proficient programmers themselves (or in some cases, programmers at all beyond HTML+CSS) and are not DPA experts.

Comments such as this one http://wordpress.org/support/topic/how-can-we-control-cookies-with-new-e... are not helping when repeatedly making wrong assertions about which cookies are affected (and I have told him this).

There are a lot of people bricking themselves because they worry about being compliant but they've read all the ICO docs and they still don't know what makes a 'technical cookie', they still don't understand what's exempted by its necessity and they wouldn't know where to start blocking cookies dropped by just about every CMS from behind the API layer.

IF the ICO clears up it's explanations that would be step one towards this law being reasonable.

eg. explaining that a shopping cart is 'exempt' because by explicitly requesting the site to store data in a personally identifiable fashion the user is not just giving you permission to store data in this way, they're telling you to do so. I haven't seen this explained anywhere.

IF the ICO or EU work with the producers of CMS's to expose control of all cookie to the API so people have the ability to comply with this directive without specialist knowledge that would be an important second step.

Until then, I'm not saying people are finding it difficult to comply or that it's 'extra work', I'm saying they don't know what compliance is and if they did they wouldn't know how to. There are people in this industry who can not meet these requirements even though they want to.
August issue on sale now!

The Week in Web Design

Sign up to our 'Week in Web Design' newsletter!

Hosting Directory
.net digital edition
Treat yourself to our geeky merchandise!
site stat collection