Countdown to Cookies: Where are we?

With a little over a month until the ICO’s self-imposed 12 month moratorium on enforcement of the new cookies rule expires it would appear as good a time as any to take stock and to ask where we are, and what will the 26 May deadline bring.

About the only thing that seems certain with the new cookies rule is that it is here to stay.   Initial industry disbelief that a need to obtain express consent to the use of cookies would actually be imposed on website operators has long passed as the ICO’s message has sunk in – this is the law, and you have to comply with it.  While this is clear, unfortunately, how these operators are expected to comply with the law remains the unclear bit.

The great industry hope that some form of advanced browser settings, or a widely adopted ‘Do Not Track’ standard, would provide a technological silver bullet has not come to fruition.  And it appears it will not for some time yet.

The ICO has given its guidance on the approaches that it believes website operators can adopt to collect consent.  However, this tends to focus on the obvious.  If your users need to sign-up to terms and conditions before accessing the website build a consent to cookies in that mechanism.  Not particularly helpful for the large majority of websites that deploy cookies on its audience that is simply passing through.

In fairness to the ICO, its guidance makes clear that no single solution will apply to all cookies.  And this must be right.  The mischief that this new rule has always been targeting is increasingly advanced and expansive accumulation of browsing behaviours – namely online behavioural advertising.  It would not be right that cookies deployed purely to track technical difficulties with a website, or to track the number of hits at particular times of the day should be subject to the same level of user acceptance as the profiling of their browsing history to display targeted adverts or alter the content that user sees.

Admittedly the ICO’s ‘intrusiveness’ barometer for determining the necessary ‘explicit-ness’ – if you will – of consent  is somewhat abstract and does not necessarily lend itself to the practicalities of how many cookies operate.  But its guidance all but says that a form of ‘enhanced implied consent’ – based on better, more detailed information about cookies and an assumption that the user consents unless they indicate otherwise – will be sufficient for analytical cookies.  This approach has been confirmed by reports that it will be “highly unlikely” that the ICO will seek enforcement action in respect of these cookies.

And this is where one can see the ICC UK’s recent Guide to Cookies as a very helpful tool.  It would seem an obvious ‘easy win’ for website operators to leverage the good work that has been done and adopt the ICC’s clear categorisation and supporting explanatory language in their own cookies statements.  This will certainly assist in achieving the ICO’s intended aim of improving the online population’s education and understanding of the use and benefit of cookies.  (Although one wonders if, eventually, this language will become so common that – much like the position now – users simply see it as recognise it as ‘website noise’.)

So, if the position is a little clearer for analytical cookies, where does that leave us for other cookies.  Can internet users expect to be faced with a barrage of pop-up boxes on the 27 May?

From industry chatter the answer is likely to be no.  The current perceived wisdom of not wanting to be the first to jump seems likely to extend beyond the deadline.  Certainly improved and more prominent cookies notices will be (and to an extent already are) the norm. But big brand names still appear resistant to imposing light-boxes, pop-ups or persistent banners on their customers unless they are forced to do so.  We will have to wait to see whether this changes as a result of a high-profile target of ICO enforcement action.

Simon Elliott

About Simon Elliott

Simon focuses on advising multinational corporates on a wide range of data protection and technology law issues.

Full bio