Cookies and consent

17 March, 2011

As has been widely reported, the government has confirmed that it will implement new EU regulations on the use of cookies by 25 May 2011. What does this mean in practice for website owners?

What’s the current position?

The current law on cookies works on an “opt-out” basis: website owners are required to provide “clear and comprehensive” information on their use of cookies, and users must then have the opportunity to opt out of using them. In the UK at least, it has been seen as sufficient to provide information in your privacy policy and then simply allow users to disable cookies in their web browser settings.

What’s changing?

The Citizens’ Rights Directive, adopted by the EU in November 2009, changes this to require websites to obtain prior consent for the use of cookies. Despite some confusion over what exactly the Directive meant when it was first passed, there is now an increasingly clear consensus that it requires an opt-in approach to cookies.

This has caused considerable disquiet among website owners. Cookies are essential for the operation of almost all websites, and on the face of it the new regulations will require websites to use pop-ups or landing pages to obtain consent for this from users.

This is unlikely to be popular with users, who may find their web browsing interrupted by multiple requests for consent. It could also threaten the revenues of sites who depend on income from third-party advertisers, whose operations may be hindered by users rejecting cookies used by advertisers to track browsing activity – which is, of course, precisely what the regulations are intended to do.

Does this only affect third party cookies?

Some have suggested that the new law will only affect third party cookies – such as tracking cookies used by advertisers – and that cookies used for the normal operation of a website will not be caught. This is based on an exception under the law waiving the requirement for consent where the cookies are “strictly necessary” for the operation of the website.

However, in my view most website owners will still need to comply with the new law. Where a cookie is necessary in order for a shopping basket to function, this will probably count as “strictly necessary”. However, it is doubtful whether the same can be said for other common uses of cookies, such as compiling site statistics and tracking how people use the site.

Is this actually going to happen?

I was at an event this week at which a speaker from the Information Commissioners’ Office pointed out that, while the ICO had not wanted or asked for this change in the law, “the law is the law” and the ICO is required to enforce it. There may be a “grace period” before full enforcement begins, but website operators will be expected to comply once the “technical solutions” are available for them to do so.

At present it is not clear how websites will comply with these obligations in practice. Discussions are under way to see if appropriate mechanisms can be built in to web browsers. However, websites will still need to be able to give information and obtain consent from users of older browsers or who are accessing the web by mobile phone.

So what do we need to do?

We are still awaiting the final regulations, and it also remains to be seen what technical approaches for compliance – pop-ups? landing pages? browser features? – will be developed over the coming months. Unfortunately, this does mean that website owners and developers are somewhat in limbo for the time being.

However, those developing or updating their websites should be aware of the need to build in scope for introducing appropriate consent mechanisms once the legal and technical position is clearer. And now is probably a good time to start thinking about how your use of cookies can be explained in a way that will make users want to accept them rather than reject them.