This blog describes the main players in the cookie law debate, who they are, what their roles are, and what their motivations are.
I’ve made every effort to be reasonable and accurate but if you represent any of the groups I’ve described below and think I’m being unfair or I am putting words in your mouth, please let me know!
“The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”
The most important thing about the ICO is that it is their opinion that matters, not anyone else’s. Their views can either be interpreted as either vague and woolly without much in the way of concrete guidance, or they can be interpreted as liberal and non-prescriptive, giving businesses freedom and time to come up with pragmatic and appropriate responses to the law. The ICO have little interest in victimising sites that use 1st party, anonymous analytics cookies without prior opt in consent, and they will take into account the efforts that companies have made when investigating any complaints. They have suggested they will be going after companies that deliberately, persistently and knowingly intrude on users’ privacy. Companies who can demonstrate willingness and are taking steps towards compliance are likely to be given only encouragement. All in all, they seem pretty reasonable, but are in a tough position of being required by government to enforce a badly worded law that is not of their making, and on the other hand bearing the brunt of industry’s criticisms of the vagueness of the law. In response to the accusations of a lack of guidance, they advised that industry should be careful what it wishes for. The ICO could provide concrete guidance, but it would be guidance to suit the ICO, and not necessarily industry. Although their guidance has been consistent throughout it has softened in tone throughout as well. A recent interview with Dave Evans of the ICO demonstrates this. They have little appetite to aggressively enforce the law, and would rather educate, empower, engage and encourage industry rather than fine it.
“DCMS works to make sure the communications, creative, media, cultural, tourism, sport and leisure economies have the framework to grow and have real impact on people’s lives. We create the conditions for growth by removing barriers, providing strategic direction and supporting innovation and creativity.”
In other words they are UK Government department who kow-towed to Europe and gave us the cookie law. To be fair , the DCMS had to copy and paste the well-intentioned but poorly worded EU directive into UK law, because if they re-wrote it they would risk being sued by the EU whose objective is to standardise laws across Europe. It’s worth remembering that we have a euro-sceptic, pro-business government who will have little appetite for prosecuting businesses with large fines for minor transgressions of an EU originating law during a recession. DCMS recognises that advertising is an essential and legitimate part of the web, and they don’t consider analytics cookies to be intrusive. DCMS are fully behind the “ecology of solutions” principle, which encourages a range of measures which are designed to give web users control over their privacy, and they are encouraging businesses to get a grip of the types of cookies with the highest level of perceived intrusiveness first. They have broadly similar views to the ICO, as would be expected.
“The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It has advisory status and acts independently and is composed of a representative of the supervisory authority designated by each EU country, a representative of the authority (ies) established for the EU institutions and bodies and a representative of the European Commission.”
Wake up now. The Article 29 Working Party expects the EU directive to be complied with to the letter. Consent means prior, explicit, opt in, specific, informed consent and nothing else will do. They accept this would be bad for the user experience, but suggest that users would only have to do this once per website and sites could then remember the consent had been given, possibly using a cookie. This is the very hard line view and is practically all but impossible as it would require almost the entirety of the EU internet to be re-coded. Fortunately they WP29 doesn’t directly have any power, although they do have influence. I think It’s fair to say this hard line influence hasn’t extended to the ICO however, even though ICO honcho Christopher Graham is vice chairman.
The WP29 have been helpful in pointing out the weaknesses in the IAB self-regulatory framework, particularly the www.youronlinechoices.com site. Their comments demonstrate that someone in the group has a grasp of the technology involved and they exposed some important gaps that were hitherto un-discussed.
“The Internet Advertising Bureau (IAB) is the trade association for online and mobile advertising. It promotes growth and best practice for advertisers, agencies and media owners.”
The IAB exists to serve the best interests of the online advertising industry so it should hardly be surprising that their views support the best interests of the advertising industry. The IAB doesn’t seem to accept the concern that the online advertising industry has been reliant in recent years on using and selling individuals data without their knowledge or control. This is demonstrated by a recent quote from Nick Stringer, the IAB’s Director of Regulatory Affairs who said “The UK economy is driven by the internet economy, and the internet economy is driven by data. Let’s not screw this up”. This neatly ignores the fact that the way this advertising data has been collected is what has screwed this up, and if the online advertising industry had been more transparent about cookie data collection and usage from the outset we would probably never had had this law.
The IAB made efforts to provide an opt out mechanism and a self-regulation scheme. (Whether this was a pro-active measure that pre-dates the law or a re-active measure to the law depends on who you talk to.) The IAB’s self regulatory scheme (www.youronlinchoices.com) has attracted valid and specific criticisms from WP29 who are concerned that by opting out a user is opting out of receiving behaviorally targeted advertising, they may still be tracked, and their data may still be collected.
The IAB have been very successful in having their scheme endorsed by the ICO and DCMS. Ed Vaizey is on record as saying that the framework is an “essential” part of the package of solutions. Despite the flaws of the scheme, it is pretty much the only control mechanism for 3rd party advertising cookies we have at the moment and if it evolves and improves and becomes well understood by the public it’s got to be a good thing.
The IAB is bouncing along and saying all the right things about complying with the law, especially when within earshot of the ICO. This is very sensible because you can be fairly certain they, or one of their members would be getting a sharp clip round the ear from the ICO if there were any murmurings of dissent.
Consent “solution” vendors
A number of small companies have sprung up offering solutions to the cookie law. These companies favour interpreting the law to the letter, which in most cases means a popup or page header that blocks cookies until a “consent” button has been clicked. Conveniently It is these popups and headers and blockers that the vendors are selling.
The sellers of these products typically consider that compliance is impossible without such measures, and criticise any alternative interpretations of the law as being not compliant or illegal, even ones (such as the idea of implied consent) that the ICO consider to be suitable for some uses. These are the most strident voices in support of the letter of law. The majority of sites who have bought these products are seem to be smallish businesses who have neither the time, money or expertise to make their own assessment of the law, who are scared by the prospect of a £500,000 fine, and have been convinced a free or nearly free product will afford them some protection.
I have written another article on the case against cookie consent solutions and why I really don’t think you should use them. I’m not a fan.
Anyone who uses mis-information or out of context information or exaggerated claims to try to persuade other people of things about the cookie law that aren’t true falls into this category. The comments sections of numerous blogs posts around the web are full of them.
The most common scares are:
“You might be fined half a million pounds!” – No you won’t. Technically the ICO has the power to fine up to half a million for serious data breaches but look at the fines they have recently served and see if you can spot a pattern.
- £140,000 To Midlothian Council for sending sensitive information about children and their carers to the wrong people on five separate occasions. link (This is the biggest fine they have levied to date.)
- £130,000 to Powys County Council, for sending details of a child protection case to the wrong person.
- £100,000 to Herefordshire County Council for faxing highly sensitive information about child sexual abuse and details of care proceedings to the wrong people. link
- £60,000 to employment services company A4e for losing an encrypted laptop which contained personal information about 24,000 people who had used community legal advice centres. link
Based on the evidence, I think the type of cookie law breach that is likely to attract a fine is if your cookies collect highly personal data (such as medical or criminal information) without telling people and then you lose or leak this information. Seeing as the most intrusive thing cookies are normally used for is to try and sell you the same pair of underpants you were checking out yesterday, a fine of anywhere near this magnitude seems massively unlikely. And to attract a fine of the full half a million your breach would need to be three and a half times as bad as Midlothian Council’s. I can’t even imagine how you would do that using cookie data.
“The law will cost the economy billions and will therefore bring down the entire online economy and the UK economy with it.” No it won’t. I sometimes think that the people who come out with this argument are so determined to prove the law is an ass that they are willing to wreck their own web businesses with stupid changes just to make a point. This really isn’t necessary. Everyone knows the law is an ass. Few arguments there. It is true that if you really wanted to, you could interpret the law in such a way as to make your website so awful that no-one would want to use it. It is equally true that you could interpret the law in such a way that increases your users’ trust in your brand and not drive anyone away. It’s up to you. If you want deliberately and un-necessarily ruin your website, I can’t stop you. Sample article here.
“The law means that every website will be covered in annoying popup boxes! This will really suck!” – Yes, if everyone interpreted the law to mean that a prior consent opt in pop up is what is demanded for every cookie type and everyone implemented one, yes I agree that would suck pretty hard. But look around you. How many of these do you actually see on serious websites? The answer is very, very few. The highest profile one I can see is Delia Smith who has one her site. Forgive me but I wasn’t aware of the point in time when Delia became an authority on EU ePrivacy law. Maybe I missed something but I thought the closest she got to Brussels was sprouts. (Sorry.)
The intention of the law was to protect users, but no-one really knows what they think, and their voice has been largely absent from the debate. It’s fair to say that most users don’t know very much about cookies and are totally unaware of the new law. I’ve been to several conferences about this cookie law and the speaking panels are always full of people from the ICO, the IAB, various consent solution vendors, lawyer, and people from the online advertising industry. Only once was there someone from Which? who got three minutes to speak. That’s it.
The DCMS commissioned some research which they published in April 2011, so it’s likely to be a bit out of date now. I’ve (cherry)picked out some of the findings, but I recommend you read the full report:
- 77% of respondents said they were concerned about internet security.Of these people 75% were concerned about abuse of personal data sent over the internet.
- 32% have actively changed privacy settings on their browser, 20% reviewed them but didn’t change them.
- 15% were aware of existing cookie opt out solutions
- 13% indicated that they fully understand how internet cookies work
- 45% indicated that they had some understanding of them.
- 37% had heard of internet cookies but did not understand how they work
- 37% do not know how they manage internet cookies on their computer.
The other source of information about user’s attitudes can be gleaned from comments on articles about the cookie law on non-cookie law related websites. The prevailing attitudes are ones of fear caused by ignorance about cookies, or people who extol the virtues of various ad and cookie blocking browser controls and add ins. There does seem to be an undercurrent of understanding that the reason why all the stuff we love on the internet is free is because it’s paid for by advertising and cookies have something to do with that. But people are happy to block the ads and enjoy the free services anyway. There is hardly any support for pop ups boxes on sites in the comments.
When you are thinking about how to respond to the cookie law, make you’re listening to the people who matter. Most important are your users, and second most important are the ICO. Be politely sceptical of anyone else, because their opinion doesn’t really matter and is likely to be coloured by their own agenda. For the record my agenda, lest it colours my writing, is to help companies make informed choices about how to give their customers informed choices about cookies.