UK “could do better” complying with new cookie laws

The UK information commissioner has issued his “half term” report on compliance with Europe’s new cookies laws. These laws require websites to obtain consent before setting a cookie, unless that cookie is needed to provide a service requested by the user.

The information commissioner sounds like a weary school teacher and resorts to frustrated clichés: “could do better” and “must try harder.” These conclusions reflect research we carried out in the UK which shows that around 50 percent of the public sector and over 80 percent of the private sector have yet to take any obvious steps to comply with these laws—based on a survey of 70 public and private sector websites in the UK (December 2011 and January 2012). So what else can we learn from this report?

The report is accompanied by updated guidance on how to comply with these new requirements. Parts of that guidance are new, but the key recommendations are unchanged. Organisations should:

While the difficulties on auditing a large web presence should not be underestimated, the most pressing question for most organisations is how to get consent. Some changes to the guidance point to a hardening in the information commissioner’s interpretation of the law.

First, there have been suggestions that consent can be obtained after a cookie has been set. The information commissioner downplays this approach, pointing to the logical difficulties in obtaining consent after the fact. He states that, wherever possible, the user should first be given information about those cookies and the choice over whether to accept them.

Secondly, it is unlikely users provide “implied consent” simply by visiting a site. This is because “general awareness of the functions and uses of cookies is simply not high enough.” The corollary to this is that organisations must do more to inform users about the use of cookies.

Thirdly, organisations cannot wait for browsers with enhanced privacy settings. Despite the government’s work with browser manufacturers, it is not clear when these changes will be made, and many users will continue to use legacy versions of these browsers.

The guidance suggests a range of options to get consent, set out below. It is also important to note that consent can be given for a class of cookies—rather than on a cookie-by-cookie basis—and only need be given once, even if the cookie is accessed from multiple sites.

Regardless of the option selected, organisations should provide visitors with clear, easily accessible information about which cookies are used and why. The current work by the he International Chamber of Commerce UK (ICC)—which is working on its own cookie guide that includes precedent wording to inform users about the use of cookies—should be helpful here. The “less compliant” the solution, the more important this duty becomes.

The options above will make it relatively easy to get consent for some cookies in some situations; e.g., where users have to accept terms and conditions to access a site. However, difficulties remain in other cases, particularly cookies used for analytic purposes and online behavioural advertising.

There is good news for the former. Recognising that many analytic cookies do not present any real privacy risks, the information commissioner states that “it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”

The position is more mixed for the latter. The information commissioner recognises that obtaining consent for online behavioural advertising cookies is “complex” and there are a “number of initiatives that…will no doubt adapt to achieve compliance with the new rules.” Whether this optimism will survive the Article 29 Working Party’s savaging of the EASA/IAB proposals for Online Behavioural Advertising (Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising) remains to be seen.

The information commissioner’s report and updated guidance arrives halfway through the 12-month grace period given to organisations to comply with these new rules. That grace period comes to an end in May, by which time organisations should “have taken sensible, measured action to move to compliance.” If full compliance has not been achieved, the information commissioner “will expect a specific and clear explanation of why it was not possible to comply in time, a clear timetable for when compliance will be achieved and details of specifically what work is being done to make that happen.”

This hardly sounds like sabre rattling. The information commissioner’s limited enthusiasm may originate from the lack of consumer engagement—the guidance itself notes that there are hardly any complaints about the use of cookies—but there is, nonetheless, a clear determination to enforce these requirements. With the grace period in the UK now running out, and an increasing number of European jurisdictions also implementing these laws—10 at the last count: Finland, France, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Slovakia, Sweden and the UK as of November 2011—organisations “must try harder.”