EU Cookie Law – The whys and what fors
No doubt you'll have been made aware of 'the great cookie debate' in the media coverage running up to the implementation of the EU Cookie policy into UK law. With conflicting advice emerging from those working within the industry as well as from the ICO themselves, the fact still remains that no definitive implementation has been dictated.
Does a website need to seek explicit consent for the use of cookies?
Shortly before the law came into force the ICO changed their advice and redrafted its guidelines, stating that implied consent is (and always has been) a valid form of consent.
"Implied consent has always been a reasonable proposition in the context of data protection law’ and that it remains so in the context of storage of information or access to information using cookies and similar devices."
Part of the big debate surrounding the whole idea of gaining consent for cookies is that there has been no clear guideance in how consent should be gained (and a method for doing so). The ICO wanted industry to determine how best to implement the policy and, as a result, there are now 1,000s of different implementations of the policy:
- http://www.bt.com/ - their Cookie settings appear bottom-right for a few seconds as a pop-up.
- http://www.google.co.uk/ - no pop ups, just a link in their footer to 'Privacy and terms', and then a click through to their Privacy policy (cookie information is half-way down the page).
- http://www.bbc.co.uk/ - their Cookie box appears right along the top the first time you visit, stating that Cookies are set and that continuing to use the website will mean that the user agrees to their use.
- http://www.amazon.co.uk/ - they don't have any obvious warning messages, etc but a (rather discreet) link in the footer "Cookies and Advertising".
- http://www.guardian.co.uk/ - again, a small bar similar to the BBC website which appears along the top the first time the website is visited.
Had the ICO not changed their standpoint, our advice would have been to go down the pop-up message route and ask for explicit consent. Now they state that implied consent is a valid form of implementation, we believe that making sure your privacy policy includes information about the Cookies used on the website will be enough to comply. We'd also recommend the introduciton of an additional page that can educate users on what/why cookies are used.
Obviously, if your websites cookies go further than simple tracking (Google Analytics, etc) then a more obvious form of consent should be used.
And what of the humble user?
There's no escaping the fact that the whole purpose of this new EU policy was to make users aware of cookies and what websites were using them for. If the ICO had been able to get the browser devevlopers on board prior to the policy coming into force, then the implemenation could have been standardised across all major browsers. Users would have been informed in a consistant format and may even have come out of the process knowing a little more about what cookies are and why they're used.
Have your say