OK in all liklihood this post won’t make a lick of sense. That is not entirely my fault as I’m trying to make sense of something that seems more than a little crazy.
Tomorrow (May 26th 2011) the revised Privacy and Electronic Communications Regulations come into force in the United Kingdom, bringing us into line with the new EU requirements around getting consent from users to use cookies on websites.
The Information Commissioners Office (whose job it will be to enforce this at some point I guess) have issued some PDF guidance and have also released a PDF press release that essentially gives website owners a year to comply. More worryingly they have made a change to their own homepage that might give an idea of the future we are all about to face.
Alongside the ICO guidance the Department for Culture, Media and Sport (the lovely people who brought the Digital Economy Act) have released their own ‘clarifying’ statement as an open-letter. To be honest after reading this I was more confused than ever.
The Open Rights Group (an organisation I tend to trust on such matters) seems to think it is all meaningless as there is no intention “of implementing any form of meaningful consent for tracking from advertising companies.” As far as I can tell that pretty much punctures a law that initially was designed to limit the invasive tracking online ad companies are capable of (something I was in favour of btw – I use Ghostery to try and limit my own exposure already).
On a practical level I’ve been issued immediate guidance from the Cabinet Office via BIS and thanks to the sterling work of Dafydd Vaughan and his work on the Recalled Products website for CFLabs I have a template to follow to ensure I can fulfill the immediate requirements.
I’ll be honest I worry this will be a law that gets ignored or circumvented by the vast majority but those of us running public sector websites will be compelled to comply and thus cripple our own sites at a time when the pressure is on to step up and deliver more and more digitally.
Digital by Default 
2 responses to “The Coming of the Cookie Monster”
It’s mostly interesting because as usual it is hopelessly vague and highly subject to interpretation. If you look at the ICO document it highlights Paragraph 6, which all this relates to. Clause 3A seems to imply that if you have use a browser that gives you the option to control and manage cookies, the service is covered. What browsers don’t allow that?
We’re assuming that all authentication related cookies fall under the ‘strictly necessary’ caveat but that in itself is completely open to interpretation.
The other thing to note is that we have always been obliged to inform users when cookies are in place and give them the option to opt out, and staggering numbers of sites don’t do this or hide it away so a user can never see it. Such behaviour is rarely challenged, will non compliance with the new ruling be challenged?
Yea the UK interpretation of the law is trying to use the ‘browser option’ as something of a get out clause I think but like you say its all so vague & written in double-speak..
It probably won’t make sense til the first organisation gets prosecuted!