What the law says
Methods of getting consent
One area of confusion concerns the question of consent. Widely discussed possibilities include the use of browser settings, the use of pop-ups, consent incorporated into T&Cs acceptance, and the approach taken by the Information Commissioner’s Office (the ICO).
The Directive and implementing Regulations appear to allow web businesses to rely upon browser settings, but both the UK and EU authorities have indicated that current web browsers do not effectively enable consent. There is a UK government-formed working group tasked with finding a technical solution to the consent issue. With industry-leaders like Microsoft, Mozilla, Apple, Google, Yahoo and Adobe on board, the authorities appear to be hoping that the problem will be solved without further legislation. However, if the position of the authorities is right, and current browser settings are insufficient, then taking into account the fact that many users continue to use outdated browsers (5% of this site’s visitors use IE6, released in 2001), browser setting may never be a complete answer. Further, its not entirely clear what changes to browser settings would lead to compliance. More granularity may mean more confusion.
The consent requirement could be implemented by means of a pop-up box that asks new users to consent to cookies. Some of the problems of this approach are obvious. Most importantly, this type of feature will ruin the usability of the website: unless used very carefully, pop-ups are inherently offensive to most users. And how will the website remember users who have opted-out (without using cookies)? Will they see the pop-up on every visit? Where many cookies are being used (as on most modern websites), how can users realistically differentiate between the cookies and their different functions? Will the average user even understand the reason for the opt out procedure?
Where all users have to consent to website T&Cs, cookie consent can be incorporated into this process. However, the demands of usability mean that sign-up processes should be kept to a minimum, and this option will only be a solution for a small number of websites (Facebook, anyone?).
The ICO approach
One approach is to follow in the footsteps of the ICO itself. If you visit www.ico.gov.uk, you will see a banner across the top of the page asking for cookie consent. But look closer: the banner also highlights a key issue with the new law. Modern websites with interactive functionality don’t function properly without cookies. Given that many users (e.g. EU legislators and regulators) may not fully understand the importance of cookies, there is a risk that many users will refuse their use, without necessarily reading the explanatory text. Another problem – the potential of the new law to make cookie-based analytics systems (such as Google Analytics) worthless – has been highlighted by researcher Vicky Brock. The results of her freedom of information request concerning ICO usage statistics after the implementation of the consent banner make very interesting reading.
No enforcement for 12 months
Reaction to the new laws
Few informed commentators have much praise the new laws. At the time of writing, almost no UK websites have made changes to comply (the ICO site is the only one I’ve come across that wasn’t in jest, although I haven’t systematically searched). The fact is that many if not most UK websites using cookies didn’t comply with the old law, and it’s hard to believe that the level of compliance is going to increase significantly now that it is much harder to comply.
Any chance of new new laws?
Less than one third of EU countries have complied with the Privacy and Electronic Communications Directive to date, and the UK has said it won’t enforce the law for now. Surely policy makers realise that there is a serious problem with the new laws? A more targeted (and perhaps less technology-neutral) approach may be necessary to deal with the real problem of data misuse. However, at the time of writing there is no sign of any plans to amend the Directive or Regulations.
Regulation 6 of the Privacy and Electronic Communications Regulations (as amended) is quoted below:
(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment– (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. (3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. (3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information—(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.