How a Cookie Law Crumbled

Stephen Yagielowicz

According to UKCookieLaw.org, the EU Cookie Law became effective in May of 2011, at which time the U.K.’s businesses were given a 12-month compliance window to come into line with this controversial law, created in response to amendments of the EU’s Privacy and Electronic Communications Directive.

“With a goal of ensuring websites are not tracking you, reporting on you and using your information and data without your permission that law is based on sound principal,” states a UKCookieLaw.org representative. “There has been much interpretation of how to implement the law and that debate continues.”

All that energy was directed at interpreting a confusing and counter-productive law instead of actually making changes that could help people’s privacy.

“The law does not tell you or dictate to you how to comply with it,” the rep explains. “The Information Commissioner monitors and enforces the law and is the body that can issue fines against website owners and ultimately take criminal proceedings. At the time of writing the likelihood of fine or criminal prosecution is low.”

The U.K.’s Information Commissioner’s Office (ICO), responsible for establishing the guidelines forcookie law compliance, sent a signal to website owners that the burden of the new law may indeed be for naught, when it not only revised the law days before its enactment, but also changed the way its own website handles cookies and compliance — by moving from an explicit to an implied consent model, not unlike the common practice in use since 2009, “except in a bigger font,” as one observer noted.

“This law has been much derided and ultimately proven to be unworkable by the people charged with enforcing it,” Oliver Emberton wrote for SilkTide.com. “The ICO is simply doing the inevitable: ignoring the law as much as they can, until it goes away.”

Emberton is not alone in his disdain for the legislation, which stems as much from its hamhanded approach as from its goals.

“It is almost as ludicrous as German sites with the ‘Imprint’ message,” Richard Robertson commented. “Even though there are clearly better translations of the German word (‘Legal’ or ‘Legal Statement’ are better choices) they still keep using a word that has an entirely different meaning than the one they intend.”

Perceptions of its uselessness aside, the cookie law remains very much in effect — with its last minute changes making it even easier for website owners to comply with.

For example, explicit permission from visitors before using cookies was modified to implicit acceptance. This is great news for publishers, as a 90 percent drop-off in visitors was reported by sites requiring explicit consent — such as the clicking of a checkbox that indicates the informed acceptance of cookies.

Obtaining implicit consent, on the other hand, may be as simple as displaying text or a banner linking to further information while informing the user that the site uses cookies, and that his or her continued visitation gives the practice the green light.

It sounds easy enough, but it seems a bit too much to handle for some companies.

A report by online privacy firm TRUSTe revealing the results of its analysis of more than 200 of the most popular U.K.-based websites, finds that while around half of these websites offer some form of privacy notice and cookie controls, around 37 percent seem to have taken no action towards complying with the law.

Of those sites found to be using third-party cookies, half had less than 25 cookies and 35 percent used 26-50 cookies, while 16 percent used more than 50 third-party cookies. Although 56 percent of studied sites used moderate to high levels of third-party trackers, only 17 percent of them have substantial cookie controls and prominent privacy notices, underscoring the scope of non-compliance — intentional or otherwise.

According to TRUSTe, creative, user-friendly approaches towards compliance are best when they are simple for users; provide easy cookie control settings; and individual descriptions of the cookie’s purpose. For example, displaying clear privacy notices that link to a page explaining what each cookie does while providing easily accessible cookie preference controls, in an audience friendly manner, is heading down the right track.

“Based on our analysis,” TRUSTe CEO Chris Babel stated, “it is clear that many companies have started to take the EU cookie directive seriously and devoted time and resources to implement a compliance solution that helps their users control the tracking activity on their site.”

Complaints to the ICO of sites using cookies without users’ permission are reportedly a fraction of those received in regards to other offenses. While fines of up to £500,000 ($774,150) may be imposed by ICO for non-compliance, enforcement letters are likely for websites making a good faith effort towards complying with the law.

That good faith effort can get a substantial jump start by following the ICO’s advice (www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx), along with its example; especially in how it informed visitors about changes (www.ico.gov.uk/news/current_topics/changes-to-cookies-onour-website.aspx), such as the following excerpt:

“The cookies we use are explained in detail on our cookies page. Cookies are used mainly to give us information that helps us make the website better,” states the ICO site. “By finding out how people use the website, we can make improvements that will help more people get the important information they need to either exercise their information rights or meet their obligations. The information collected via the cookies does not identify anyone.”

The ICO site now features a banner explaining that the website uses cookies and tells users that they can either change their cookie settings on the site’s new cookies page, or continue on to the site. By separating the cookie page from (but linking to and from) its Privacy Policy notice, the prominence of the information is increased, while providing website users with clear, detailed information about the site’s cookies and how to manage them using buttons that allow users to allow or deny non-essential cookies. Limits on the geographical information collected by the site’s analytics cookies were also imposed.

The ICO rationalizes the changes in its compliance strategy by stating that it made the changes “so that we can get reliable information to make our website better,” a statement that left many website owners asking, “What about [ICO’s own] rules on cookies?”

The organization maintains that it is indeed compliant with the latest rules and its own guidance in this area, pursuing the new policy due to better educated Internet users.

“We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for,” states the ICO website. “We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners.”

“Since then, many more people are aware of cookies — both because of what we’ve been doing, and other websites taking their own steps to comply,” ICO added. “We now consider [that] it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”

It sounds like a case of “if you can’t beat them, join them” — and a smart idea at that.

Website owners, designers, developers and other stakeholders have faced frustrations over the cookie law and how it can best be complied with, while not placing a roadblock between website visitors and website content. It is not only the traffic loss resulting from cookie warnings and the unnecessary legal and implementation expenses occurred due to compliance attempts targeting a constantly changing regimen; it is the effort’s futility and mixed characterizations that adds insult to injury.

“The saddest irony of this saga is that the poor deployment and constant goalpost-switching around the mechanisms of the cookie law have meant that we have had no time to hold a meaningful discussion about online privacy and consumer protection,” stated Heather Burns of Glasgow-based Idea15 Web Design. “The original purpose completely disappeared in the implementation.”

It is a sentiment echoed by Emberton and others.

“All the complex solutions, which actually blocked certain cookies and so forth, were a waste. The panic, meetings and audits were certainly a waste,” Emberton exclaimed, noting that “the people who simply put a cookie page up apparently did the right thing.”

“All that energy was directed at interpreting a confusing and counter-productive law instead of actually making changes that could help people’s privacy,” Emberton added. “As most people don’t know what cookies are, banners saying, ‘we use cookies’ are pointless.”


More Articles


Privacy Notices Shouldn’t Be Treated as an Afterthought

Corey D. Silverstein ·

Legal Issues Pop Up When Filming Sex in Public

Lawrence G. Walters ·

A Road Less Traveled: Accepting Alternative Payment Solutions

Stephen Yagielowicz ·

Credit Card Processing Today: Decline or Dominance?

Stephen Yagielowicz ·

Shifting Regulations: Keeping on the Straight and Narrow

Stephen Yagielowicz ·

Putting Your Best Foot Forward: Billing's Best Practices

Stephen Yagielowicz ·

PornDoe Premium — 35 Network Sites and Counting

Rhett Pardon ·

Q&A: White Label Dating’s Steve Pammenter Expands Horizons

Alejandro Freixes ·

Facebook Ends Custom Link Preview Snippets

Lauren MacEwen ·
Show More