• Author:Tom du Pré
  • Comments:2

Dear ICO: This Is Why Web Developers Hate You – A response

The good people at Silktide recently posted another of their entertaining blogs, this one entitled “Dear ICO: This Is Why Web Developers Hate You“. Silktide are the same people who made “The stupid EU cookie law in 2.5 minutes” and more recently “The stupid cookie law and why it should die” videos. I broadly sympathise with Silktide’s views and find their videos hugely entertaining, well written and clever. I would however like to to address some of Silktide’s statements and provide a bit of balance.

Silktide logo
“Dear ICO. On behalf of web developers everywhere, what the frolicking duck?
As the body responsible for policing the infamous Cookie Law in the UK, you don’t exactly have a popular job, to be fair.”

This is a very good point. The ICO didn’t write the law so it’s not their fault it was badly written. It’s fair enough to take issue with how they’re enforcing it, but it’s not fair to blame them for the law itself. For that, direct your fury at the DCMS, or better still, the European Commission.

Silktide logo
“A year ago you graciously granted us an extra year to comply with the law, announcing your decision just 24 hours before the law came into effect. Last week, 24 hours before the really-we-mean-it-this-time law took hold, you changed it completely.”

No, they didn’t change it completely. In fact, they didn’t change it at all. What’s being referred to here is the ICO’s latest guidance that includes a section on whether “implied consent” is a real thing or not. The latest guidance does provide new, more detailed information on what implied consent is and when it may and may not be considered valid. But it expands on previous guidance. It did not change it. You will expect me to back this claim up with evidence and there’s a lot to choose from, so I’ve picked a few good examples:

The second version of the ICO’s guidance (which is now hard to find on the web, because the ICO seem to have re-directed all links to it towards their latest guidance) had a section about impied consent, which doesn’t seem to preclude it, but it does suggest that it’s not as strong a form of consent as explicit consent. This is pretty obvious and is a position elaborated on in the latest guidance.

Information Commissioner's Office logo
“The level of consent required for any activity has to take into account the degree of understanding and awareness the person being asked to agree has about what they are consenting to. A reliance on implied consent in any context must be based on a definite shared understanding of what is going to happen – in this situation a user has a full understanding of the fact cookies will be set, is clear about what cookies do and signifies their agreement. At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent. As consumer awareness increases over the next few years it may well be easier for organisations to rely on that shared understanding to a greater degree. This shared understanding is more likely to be achieved quickly if websites make a real effort to ensure information about cookies is made clearly available to their users, for example, displaying a prominent link to ‘More information about how our website works and cookies’ at the top of the page rather than through a privacy policy in the small print.”

eConsultancy published an interview with Dave Evans of the ICO on 24th April 2012. In this interview, Mr. Evans made it pretty clear on his views on implied consent. Read the interview yourself, but some choice quotes are:

Dave Evans, ICO
“The law does allow us some leeway.”

“Just because analytics cookies are caught by this law doesn’t mean a strict opt-in is necessary.”

“In the medium to long-term, if lots of websites are more transparent about cookies and privacy, then users will become more informed and it will be easier to assume knowledge.”

“If we can operate on the basis that, since a website has made efforts to inform customers, and through this collective education process, people understand how and why online businesses are using their data, a website could claim with some justification that since we made it clear, and they are still using our website, opt-on consent may not be necessary.”

“It will take time to get to the point where most web users are aware of this, but this clarity of information may fill that gap for some websites. It may eventually become an implicit part of the relationship that websites gather and use analytics data.”

“If a website says ‘we’d like you to use cookies, but click here if you don’t want us to, and click anywhere else to continue’. If customers have seen this message, then this may be enough in most cases.”

“If it looks like an organisation has put enough information there, and it is clearly visible, such that it wouldn’t be likely that users would miss it, then it’s unlikely we would take that further.”

We were also warned on 2nd April 2012 by the Information Commissioner himself that he would be publishing more information about implied consent. Anyone who has spoken to the ICO or heard them speak at any one of the different seminars and meetings they have been to would certainly have walked away with a strong feeling that implied consent was valid in some cases for some types of cookie usage. They have never claimed it’s a solution to everything, and they’ve always been clear that implied consent doesn’t mean do nothing. I agree that it would have been great to get the latest version of the ICO guidance a year ago, this would have been helpful.

Silktide logo
Any web developer who actually tried to comply with the law in either case has been royally and totally screwed, for no reason other than your blithering incompetence. Thanks for that.

Hyperbole and exageration for comic effect. I’ll let it go.

Silktide logo
Curiously – and don’t think we haven’t noticed – a lot of big sites, like the BBC, Guardian, BT, Channel 4 etc. all revealed solutions which comply with your revised guidelines just prior to you announcing it. We assume you’ve enjoyed long and comfortable consultation periods with all of them, which you decided to share with us one sunny Friday morning a day before it becomes law.

The implication here is that big companies somehow got advance warning of the latest guidance which was denied smaller companies. I don’t think this is entirely fair. It is true that representatives from large UK companies were invited to attend events and seminars about the cookie law where the ICO were panelists. But these were not closed door discussions and representatives from all across the sector were either invited, invited themselves, or just turned up anyway and were let in. (It’s amazingly easy to get into the DCMS building for such events. You turn up, tell the receptionist your name and what you’re there for, they look on their list and if they can’t find your name they give you a pass and let you in anyway.) It’s also true that lots of people did have one on ones with Dave Evans to present their plans and get a steer, and I know that it is also pretty easy to get hold of him on the phone and email to get a steer. I don’t accept there was any secrecy here.

Silktide logo
Look at your own implementation of the law (pictured) for instance. You rightly state others might improve upon this, but surely it occurred to you to hire a web developer who didn’t just drop out of kindergarten to design a solution that would be seen as the template for an industry? Surely you realise your own solution reflects the hard-edged ‘explicit opt in’ nightmare most web devs fear, not the light-touch ‘implied opt in’ you ultimately allowed everyone else to use?

All fair points. Totally agree. It bears all the hallmarks of being done in a frolicking ducking hurry.

Silktide logo
Like many small businesses we’ve spent weeks researching and engineering a solution to the law (we even made ours open source). We know web agencies that spoke to hundreds of their clients, explained the painful but necessary changes, implemented and charged them who feel like setting fire to a flag with your logo on it right now.

Four things I’d like to pick up on here.

Firstly, the (mis-directed and ill thought out) law isn’t about all about web developers. It’s about giving everyday folk better information and control over their data. Just because a law requires effort to comply with doesn’t make its intentions bad.

Secondly, yes lots of people have gone to lots of effort to understand and comply with the law. The ICO would argue that’s exactly what this last year’s been for.

Thirdly, many of the people who have have gone to great lengths to provide “solutions” to this law have done so only out of self interest, and have been responsible for a huge amount of scare mongering and misinformation. Shamefully, much of this has been directed towards smaller businesses without the time or expertise to undertake their own lengthy assessments. I would stress that I do not include Silktide’s efforts in this category, but there are some shysters out there and they’re not hard to spot. See my related blog “The case against cookie consent header solutions”.

Lastly, and I do include Silktide’s efforts here, a lot of the effort has been spent on deliberately misinterpreting or ignoring the guidance and coming up with responses that un-necessarily assume the worst case scenario of prior opt in consent. Co-incidentally, I also cover this in another of my blogs about “The cookie law and what we’ve learned”.

To conclude I would like to re-iterate that I am not fan of the law, neither am I in anyway in the ICO’s pocket. I do however support the law’s intentions. There are companies out there who are deliberately disingenuous in the manner in which they collect highly personal data about me, profile me and sell that data to goodness-knows-who, deny doing it and prevent me from having any control over that data. If the ICO use the law to prosecute these companies I will consider raising a non-burning ICO flag.

As a final thought, I wonder if the ICO will be having any kind of review of the last year and their approach? If I was Christopher Graham or Dave Evans and I’d just had a bad day and my train back to Wilmslow had been delayed again, what would I be thinking? I’d been inclined to think that next time I wouldn’t issue any guidance because I’d only be criticised for it, I wouldn’t give a year’s grace because not many people are much further ahead now than they were last year and it’s just turned into a year of bitching, and I would just go straight to prosecuting people and let everyone else figure out what they are supposed to do from the test cases. And I wouldn’t try to be nice and soft touch because everyone thinks that’s just being vague. When the new PECR laws come out, we may realise what an easy ride the cookie law actually was.

In my next blog I’ll be examining the differences between letter-of-the-law compliance, and doing enough to keep the regulator off your back.

Tweet about this on TwitterShare on FacebookDigg thisEmail this to someoneShare on Google+Share on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr