New recipe for cookies!

Friday 13 April 2012

The change in the law on “Cookies”

“Cookies” allow a website to recognise a user’s device (i.e. PC, tablet, laptop or phone), applying user preferences and working in the background to enhance usability. This generally involves the website storing personal information about the user. Regulation 6(2) of the revised Privacy and Electronic Communications (EC Directive) Regulations 2003 came into effect last May. These state that:

The requirements that website operators need to comply with when using Cookies are that the subscriber or user of that terminal equipment:

1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information [i.e. which has been obtained through use of the Cookie]; and
2. has given his or her consent [to such storage].

The government has allowed for a “phase in” approach, the grace period of which ends this May.

Does the change apply to all Cookies?

An exception is made for Cookies which are “strictly necessary” for the functionality of the website. The trespass of the user’s hard drive is essential in this situation for the efficient navigation and, ultimately, usability of the website. However such a narrow exception doesn’t give operators much leeway when even Cookies which are deemed “important” (but not “essential”) require consent from the user. Previously users could opt out with the relevant information contained in a privacy policy, but now users need to opt in.

Is the change necessary?

Raising awareness is always helpful, but one can only wonder how many actually understand what a cookie actually is. Cookies do not carry viruses or install malware on our computers, which may come as a surprise to many. They can be abused by pushy advertisers to fill up the pages we visit with content which might be most relevant to us. At their worst they can be used to track what you are doing and be used maliciously as spyware. By storing your history and preferences a profile of you can begin to be built up. Of course one should not underestimate the impact of cybercrime, with the Norton Cybercrime Report (2011) revealing that, in 2011 alone, there were 431 million cybercrime victims globally.

To some degree this simply highlights the fact that whilst there is a huge problem with internet crime, cookies are very much the tip of the iceberg. Trojans, worms, viruses and malware are much worse offenders.

What will operators have to do to comply?

Even where cookies are used intrusively for analytics and advertising, the behaviour of the minority is set to impact on the responsible practices of the many. The Information Commissioner’s Office themselves accept that “gaining consent will, in many cases, be a challenge.” As a term “prior consent” is ill defined and there is a lack of agreement as to how far operators will have to go: will a popup be sufficient?

When Cookies change, will new consent have to be sought? The technical considerations for the operator are likely to be an additional unwelcomed (and arguably unnecessary) hurdle for many businesses. The constant interruptions to the user could become extremely irritating and the “comprehensive information” that the customer will be subjected to could simply result in us having to jump through yet more hoops, carelessly clicking the “I agree” boxes of usage agreements that so many don’t care to spend the time of day worrying about.

How enforceable will the new law be?

The Information Commissioner’s Office risks being inundated by complaints. However, we are not yet sure what solutions the ICO may be able to offer to users. Policing the new rules is certainly not going to be easy; we hope they are not going to turn out to be a “chocolate fireguard.” Whilst reputable established website operators will almost certainly endeavour to comply with the regulations, our concern is in regard to the many ‘rogue’ operators worldwide. In the abstract and elusive world of the net many offenders are likely to be simply beyond the reach of the law.