Analytics or feature based cookies are pretty low on enforcement scale
As the deadline for the enforcement of the UK’s Privacy and Electronic Communications law looms even closer (26 May 2012) there has, at last, been some light and clarity about the rules surrounding the requirement of both informing and getting visitor acceptance of the setting of cookies and in particular those relating to the collection of analytics data.
Last year when the directive officially came into force, published a post (Can I have a Cookie, please? Maybe, but not for 12 months say ICO!), relating to the new requirements and highlighted the issue and the impact of possibly not being able to collect analytics data.
And, on the 27 March this year another one (EU Cookie Law – will you be prosecuted?) highlighting that very little had apparently been done, the issue addressed or indeed any real guidance given.
At last, some light on the Cookie Law implementation
Nothing very much has changed and some form of consent will still be required in relation to setting cookies for analytics data collection other than the ICO stating,
“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies”
That statement indicates that there is a low likelihood that collecting analytics data will be given a high priority in terms of enforcement and prosecution but it doesn’t remove the requirement of obtaining consent,
“In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful.
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”
UK Cookie Law – At last some guidance
As reported in Outlaw.Com The International Chamber of Commerce (ICC) UK has only recently issued new guidance (15-page / 296KB PDF) on cookies which has been welcomed by the ICO (Information Commissioners Office) and contains information on the different categories of cookies that website owners often use and when consent to those cookies will be required.
The guide also includes examples and suggestions of wording which website owners can use when asking for various types of user consent.
David Evans, group manager for business and industry at the ICO, said in a statement,
“The ICC UK guidance provides useful information on how organisations can achieve this and reinforces the ICO’s key message that giving users better and more consistent information will make it easier to gain their consent.”
“We are almost at the end of the year long lead in period and it is vital that organisations start demonstrating that they are moving towards compliance,” Evans said, according to the ICC UK’s blog.
The hope is that if the information given to users is consistent across different websites they might visit they will more quickly become familiar with what cookies are used for and why.
Browser setting to control cookie setting
The use of a browser’s settings is specifically identified in the e-Privacy Regulations as a means of giving consent, however, compliance with the new cookie law will only be achieved if enhanced browser settings allowing users to express consent to cookies being set are used in conjunction with the supply of adequate information to users, when appropriate, about the cookies consent is being sought for.
The Government and the ICO have said that browsers will be an important part of giving users the increased access, information and control required by the law.
Government has been working with browser manufacturers to see if browsers can be enhanced to give users easier access to settings and to make those settings as informative and easy to use as possible but, unfortunately, this is work-in-progress and implementation is still some way off.
The cookie laws are designed in the main to control the proliferation of 3rd party cookies, generally used for tracking purposes rather than 1st party cookies and existing browsers do offer some controls over the setting of these cookies in their privacy setting.
As highlighted in first post last year, if 3rd party cookies are set to request consent status the user experience is both frustrating and annoying.
There are that many cookies being set as various actions are performed it makes the process equivalent to pulling teeth without and anaesthetic! Any implementation built into browsers will have to overcome some real problems if they are to become the de-facto method for cookie control.
The ICC guide is designed as a good and first tool to aid compliance in the absence of enhanced browsers but will continue to be a relevant tool once enhanced browsers become available as it might be impossible for browsers to address all the various requirements for full compliance to the EU directive on cookie law implemenation.
What we should all realise is that, although there is light at the end of the tunnel and there probably will be methods universally introduced, we can’t behave ostrich-like and just stick our heads in the sand and hope for the best.
The takeaway is that we can’t rely on others to come up with solutions and we have to take some action on our own to try and achieve full compliance.