Cookies and consent
What’s the current position?
This has caused considerable disquiet among website owners. Cookies are essential for the operation of almost all websites, and on the face of it the new regulations will require websites to use pop-ups or landing pages to obtain consent for this from users.
This is unlikely to be popular with users, who may find their web browsing interrupted by multiple requests for consent. It could also threaten the revenues of sites who depend on income from third-party advertisers, whose operations may be hindered by users rejecting cookies used by advertisers to track browsing activity – which is, of course, precisely what the regulations are intended to do.
Does this only affect third party cookies?
Some have suggested that the new law will only affect third party cookies – such as tracking cookies used by advertisers – and that cookies used for the normal operation of a website will not be caught. This is based on an exception under the law waiving the requirement for consent where the cookies are “strictly necessary” for the operation of the website.
However, in my view most website owners will still need to comply with the new law. Where a cookie is necessary in order for a shopping basket to function, this will probably count as “strictly necessary”. However, it is doubtful whether the same can be said for other common uses of cookies, such as compiling site statistics and tracking how people use the site.
Is this actually going to happen?
I was at an event this week at which a speaker from the Information Commissioners’ Office pointed out that, while the ICO had not wanted or asked for this change in the law, “the law is the law” and the ICO is required to enforce it. There may be a “grace period” before full enforcement begins, but website operators will be expected to comply once the “technical solutions” are available for them to do so.
At present it is not clear how websites will comply with these obligations in practice. Discussions are under way to see if appropriate mechanisms can be built in to web browsers. However, websites will still need to be able to give information and obtain consent from users of older browsers or who are accessing the web by mobile phone.
So what do we need to do?
We are still awaiting the final regulations, and it also remains to be seen what technical approaches for compliance – pop-ups? landing pages? browser features? – will be developed over the coming months. Unfortunately, this does mean that website owners and developers are somewhat in limbo for the time being.