Monday, 28 May 2012
The EU cookie law, what a mess..

If you haven't already noticed, the EU cookie law has now become mandatory in the UK over the weekend.

However it's left a terrible taste in the mouths of several website owners when the ICO (Information Commissioners Office) at the last minute stated that it was ok to use "Implied Consent" as opposed to implicit consent  before placing cookies on the users machine. While thousands of website owners will rejoice. Those that had committed the recourses to meet the implicit cookie consent requirement are probably fuming.

Implied consent is effectively placing the onus back on the user by telling them that by using your site a cookie will or has already been placed onto their machine. If they are unhappy about this, they can remove it themselves, or they can just continue using your site as usual. As a large majority of sites have been informing users about the placing of cookies on their machines in their privacy policy for years you can't help but feel that it has somewhat lost its bite and makes a mockery of the whole situation.

What is interesting is there appears to be an attitude among some companies to sit back and see who gets sued first before taking any action. You can certainly understand their reaction when a large amount of government websites themselves are not compliant, direct.gov.uk this morning appears to be following with the implied consent root. By placing cookies on your machine and displaying a small message at the bottom of the page about their cookie policy.

image

You can't help but feel when the government came to overhauling their websites to try and meet the implicit cookie consent requirement that someone said "Hang on a minute we have X hundred sites and we're going to have to recode how all of them to handle cookies in one year!". I also couldn't help but wonder when developers were looking at the issue and discovered that certain server technologies they were using just couldn't be changed to handle the new cookie law requirement. The issue probably fell heavily on the ICO's shoulders, you can almost picture that meeting taking place. How on earth could they enforce a law the government itself was not even abiding by?

How are websites implementing the cookie law this morning?

No 10 Downing Street - number10.gov.uk

No 10's website (you guessed it) has gone for "Implied Consent" I get 4 cookies placed onto my machine. You'll be forgiven if you missed the information about Cookies I've highlighted it for you below.

image

 

Amazon.co.uk
Amazon placed 9 cookies onto my machine as soon as I visited the website with an anonymous browser. They also appear to have gone with implied consent, scroll right to the bottom of the page and you will see the words in the footer "Cookies & Internet Advertising"

Lloyds TSB - www.lloydstsb.com

Lloyds TSB have a small message at the top of their site that links to their cookie policy

image

 

Visiting several European websites, I found many of them also followed the implied consent pattern. The information about what cookies they placed on your machine was usually buried inside their privacy policy.

While it has been stated that Britain is out of step with EU law because of the use of "Implied Consent" which could lead to fights in the European courts, you can't help but feel the law really doesn't hold much water if the rest of Europe appears to be following the same approach. Perhaps someone somewhere responsible for the law, realised what a massive mistake it was and hopefully it will slowly be forgotten as yet another mistake. You only have to look at the European Unions own website which also uses "Implied Consent" with some details in its "Legal notice" to realise that not much will probably happen as long as you explain about your cookie policy in your privacy policy.

Report those offending cookies

The ICO has also created a page to allow members of the public to report their concerns about the use of cookies. Personally I really can't see too many people using it, if they were not aware of what cookies were to begin with. I would guess it is targeted more towards technically minded people, however these type of people are more than likely to just delete the offending cookie from their browser than think anything more of it.

Fighting Crime

The ICO also states on its website that ".the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online." It goes on to explain about the use of spyware and "..such activities often have a criminal purpose behind them.". While I appreciate the intention of the law to fight crime, I don't believe a criminal enterprise is going to stop using cookies in this way because it is illegal to do so. However when a criminal is charged with this very offense I presume I will stand corrected.

I await to see what will happen in the coming months, if anything happens at all..