Critics chew on EU cookie ban

The UK government’s approach to the refreshed EU cookie laws has been labelled a “mockery” and “useless” by one critic. Others have warned the laws could have a severe impact on consumers’ browsing habits.

The criticism comes as the government prepares to put the legislation into force. Users will have to give their permission for websites to install cookies through their internet browsers.

Previously the rule on using cookies for storing information was that companies had to tell people how you use cookies, and tell them how they could ‘opt out’ if they objected. 

Communications minister Ed Vaizey has said that the government will work with browser manufacturers to ensure users are able to give permissions for cookies on an ongoing basis.

However, it seems as though the Information Commissioners Office (ICO) has been given an easy ride, with Vaizy admitting it is unlikely that it could take enforcement action in the short-term against businesses and organisations, as they work out how to address their use of cookies.

The ICO has also ruffled a few feathers, announcing today that it is giving organisations and businesses that run websites aimed at UK consumers up to 12 months to ‘get their house in order’ before enforcement of the law begins.  

Information Commissioner, Christopher Graham, argues his organisation has said all along that the EU rules on cookies are “challenging”. Graham acknowledged that they will “obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups.”

However, he points out in a statement that it’s worth taking a “common sense approach” which takes both views into account.
 
“Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet,” he said.

As a result, the government has said it doesn’t expect the ICO to enforce the rule straight off the bat. The watchdog has taken it upon itself to give businesses a year to sort themselves out.

According to Kim Walker, partner at law firm Thomas Eggar, the delay raises some interesting questions. The ‘wait and see’ policy  referred to in the ICO guidance “suggests that the browser manufacturers are being pressed to find a technical solution, by which browsers can be enhanced to meet the requirements, with users having more information as to the use of cookies and being presented with easily understandable choices.

Walker mentions the ICO’s blunt teeth, with its power to issue fixed penalty notices for data breaches, introduced last year but rarely used.

It’s more likely “to be a deterrent for businesses which can profit substantially from the information contained in cookies to tailor advertising, for example.”

Andreas Edler, managing director at Hostway UK reckons the government should have taken a more proactive approach towards the law’s implementation.

As the law has been discussed among EU members, including the UK, since September last year, he wonders why “only now is the ICO starting to treat it as a matter of priority?”

“Clearly, most businesses and organisations won’t have been able to make the changes by the 26th May deadline. In my view, this is really making a mockery of the law,” he said, speaking to TechEye.

“Why implement a law when you have only just started to tell people what they can do to abide by it?”

The new laws have also been slammed by privacy groups.

Jim Killock, executive director at the Open Rights Group, told TechEye: “The UK is planning to make the new law meaningless. They are saying if you agree to cookies, you agree to be spied on. That makes the new law worse than useless.”

Andreas Maurer, head of Social Media at 1&1 Internet was slightly more lenient calling the  ePrivacy directive “well intended.”

However, the current version is “neither feasible nor helpful.”

“The new e-privacy law doesn’t provide regulations for which way European governments should protect users from tracking technologies,” he said, adding it’s “unacceptable and unrealistic to make every visitor of a website consent to each cookie when surfing online.”

The ICO moved earlier this month to put in place guidelines to help businesses comply with the laws. A suggestion is looking at pop-ups, though most of us had hoped to see the back of that particular trend.

Another idea was ensuring the terms and conditions of a subscription based account to ensure the cookie policy is more prominent as well as adhered to, while another recommendation is having a note at the top of a site when cookies are in use.

The only time that websites can get away with keeping schtum about cookies is when they have been requested by a user. This includes for logins or online checkouts.

That hasn’t appeased Hostway’s Edler, who told us: “The guidelines produced by the ICO seem to pose more questions than answers.

“It still is unclear how the law applies to the average small business or what changes users need to make in order to comply with the legislation. The legislation has good intentions in aiming to help protect peoples’ online privacy but it has opened up a minefield of compliance issues.”

Eggar partner Ms Walker, however, believes the guidelines could help businesses in the long term: “This is a good time to carry out a ‘back to basics’ review of the business case for using cookies and then assessing how intrusive they are going to be in the collection of personal data. 

“Cookies will range from the benign to capable of securing highly intrusive data.

“The ICO’s guidance is that there are a number of initiatives that seek to ensure that users are given more and better information. It will be important to check wording in Privacy Policies do actually state what happens to the data a business collects via cookies, and where possible to follow independent self-regulatory frameworks such as that published by the Internet Advisory Bureau Europe on online behavioural advertising.”

She added that being seen to have carried out a review may be looked on favourably if a data breach is notified, but it is “difficult to provide clear risk analysis without an indication of the penalties.”

Walker says businesses should carry out any processes for the new law internally.

“A fully transparent cookies ‘opt in’ procedure may not involve much more than following a self-regulating framework at this stage which keeps the choice and ultimate decision to turn off cookies with the user.

“The business will need to decide how much attention it gives to this in its privacy policy,” she said.