Who’s afraid of the cookie monster?

Not you? Well perhaps you should be.

On May 26th 2012 the moratorium for introducing this legislation runs out and we’re all supposed to be compliant or face a fine of up to £500,000 for not complying properly with The Privacy and Electronic Communications (EC Directive) Regulations 2003, itself based on a European Directive – 2002/58/EC. This was further amended in 2009 to by Directive 2009/136/EC, something which in the words of the ICO “…. included a change to Article 5(3) of the E-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment – in other words a requirement to obtain consent for cookies and similar technologies.

To you and me what this means is that we are supposed to now ask people if it is OK for us to use cookies on our sites rather than relying on them to decline them. Simply put we now need to ask for permission.

Governments in Europe had until 25 May 2011 to implement these changes into their own law and the UK was no exception. The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and it became law a year ago. But so many businesses were unable to comply with this that a twelve-month moratorium was sought from, and subsequently granted by the ICO.

Now with billions of websites out there questions have been raised about how this will even be policed, and indeed if it is worth doing anything about it at all. And you can see the argument here as how on earth can anyone check every website in the UK and Europe. And how can you tell if a ‘UK’ website is actually UK based (Ebay and Amazon being prime examples…)

Looking for guidance to the bigger players in the market we’rve recently noticed a pop up following us around the www.bt.com website asking for permission to drop cookies…

…but www.bbc.co.uk rely on you clicking on the link at the bottom of their page to find a full description of their cookie policy http://www.bbc.co.uk/privacy/bbc-cookies-policy.shtml. Helpfully though they appear to be one of the very few we’ve seen that actually tell you how to opt out of accepting cookies, and let’s be frank here, how many ordinary users actually know how to do this?

We’ve advised all our clients that have enquired that there needs to be a statement about cookies on their website and according to the latest information as long as you have a statement saying that you are ‘working towards compliance’ it should provide some wriggle room.

But what is this actually trying to achieve? Is this simply over regulation for the sake of it?

We understand the importance of privacy and we agree that individuals should have the right to anonymity however this solution looks at the wrong thing. If it must be regulated it should be about regulating the information we as site owners collect about an individual who visits our site but the focus has been entirely on the mechanism that we currently use to do this. So what if a replacement for a cookie is invented? How is this to be regulated? The broad ‘similar technologies’ phrase simply isn’t good enough.

Will this legislation actually make a difference? We doubt it. After all, we’ve just visited 10 Downing Street to see if they have a pop up that tells us about cookies but unsurprisingly there was nothing. Tucked away at the bottom of the page there is a ‘privacy policy and cookies’ link but it’s in small print and below the fold.

So for now, our advice to clients still stands – do what number 10 have done and you can’t really go wrong, after all, if it’s good enough for them……

If you’re still unsure about cookies and the new law then you can visit the ICO website to find out more or talk to us and we can help