security – Andy Poulton

New cookie laws: why website owners should be worried

Kevin Partner and Davey Winder explain why small businesses have been left in the dark by the ICO’s guidance on new cookie regulations

The Information Commissioner’s Office (ICO) has just released guidance about the new cookie rules that will come into effect as soon as next week. And what a complete dog’s breakfast they are.

Having both carefully studied the guidance document, we’re still none the wiser as to how the law applies to the average small business, or what changes need to be made in order to comply with the legislation before it comes into effect on 26 May.

User consent

The crux of the new legislation is that website owners must seek consent before dropping cookies on visitors’ device, be that a PC, smartphone or other net-connected gadget. It may seem laudable that users should have to give their express consent before cookies are stored but when you think about what that means in practice, it opens up a minefield through which there is no completely safe path.

It’s as if the guidance has been written by Robbie the Robot, bashing the keys randomly while shouting ‘you will comply’ very loudly

As the ICO admits itself, “gaining consent will, in many cases, be a challenge”, which is a masterclass in the art of understatement. It gets even better (well worse, really) when talking about third-party cookies which the “guidance” warns getting consent for will be complex, and then advises website owners to make sure they’re doing what they can to allow users to get the right information, but doesn’t offer any hint as to what the right information might actually be.

How to gain consent

The ICO states that it will not “issue prescriptive lists on how to comply” with the new regulations. It says “you are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do”.

In other words, as a website owner you have to take a judgement on how to comply with the legislation in the hope that, if a customer complains, the authorities will agree that you did the right things. That’s a bit like the Government refusing to supply a prescriptive list of road speed limits and expecting you to justify your speed to any police offer who pulls you over. It’s as if the guidance has been written by Robbie the Robot, bashing the keys randomly while shouting ‘you will comply’ very loudly.

According to the guidelines, this is how website owners are supposed to proceed:

Decide which cookies are “strictly necessary” for a service requested by the user, as these do not need consent. The ICO guidelines stress that “strictly necessary” will be interpreted “narrowly” (thanks for that) but it gives the example of a cookie used to store the contents of a shopping cart prior to checkout. We think this would also apply to cookies used as part of the log-in process for most websites but that’s just our judgement – who knows?

Work out how “intrusive” the use of cookies is. And here, the dreaded phrase “sliding scale” rears its ugly head. Cookies are used by analytics software but, at least in the case of Google Analytics, they don’t personally identify the user in any way whatsoever. However, according to the new regulations you should get agreement to these cookies from all visitors to your site. The more “intrusive” they are – by which I assume they mean the more personal information is stored – the “more priority you will need to give to getting meaningful consent”. Clear as mud.

Decide how to get consent. If you’re selling something or inviting users to register on your site, you can direct them to your terms and conditions but of course this doesn’t apply to existing customers – you’d be expected to contact them to specifically agree to the new terms and conditions. All because you want to store their preferences.

The bottom line

The bottom line is this. Except for “strictly necessary” purposes, you need to get consent. This is fine for online shops because you should be asking for customers to agree to your terms and conditions in any case – you just need to think about how you deal with existing customers. It’s more difficult for information sites.

It’s the “convenience” cookies and those used for analytics purposes that are going to cause compliance headaches. Where do I store a record of their agreeing to cookies? In a cookie? Will I need separate agreement to that cookie? Or do I need to store it in a database with all the cost involved in coding that?

Until the ICO revises this appalling piece of guidance most of us will be none the wiser as to how we can comply

For convenience cookies you might get away with adding a rider to the link that leads to the page setting the cookie – for example “Be aware that by clicking this link we will save a cookie to your device” but who knows? Definitive guidance doesn’t exist.

Our biggest concern is that the law will ultimately evolve through the prosecution of website owners. A customer will complain and the authorities will use the law courts to turn the existing subjective guidelines into enforceable law. The only defence we can recommend is to study the guidelines and do your best – there is no cut and dried, 100% safe approach.

This entire process began with a desire to make cross-site behavioural advertising opt-in – an entirely laudable aim. But it’s ended up in a predictable mess as they try to encapsulate all uses within one bill.

Unfortunately, until the ICO revises this appalling piece of guidance most of us will be none the wiser as to how we can comply. It admits the document is “not a definitive guide”, but with time fast running out to meet that compliance deadline, a definitive guide is exactly what the ICO should be producing.

Author: Kevin Partner and Davey Winder

Posted on 17 May 2011 at 11:22. Taken from PC Pro – Custom PC On Line.