UK Cookie Law: Practical advice on how NOT to comply
May 8, 2012
The UK “Cookie Law” has been referred to as “half baked” and “crumbled” to name but a couple of the many possible clichés. However, like it or not, from 26th May the ICO will be commencing enforcement of the year-old law and is currently taking steps to make it easy for consumers to register their complaints against non-compliant websites. As the firm’s resident privacy expert, I am being asked the question “What should we do to comply?” on an almost daily basis. This is immensely frustrating because, as a lawyer who prides herself on providing sound but commercial advice, I simply cannot give a satisfactory answer.
The problem is that, as a lawyer, I feel compelled to advise clients that they should comply with the letter of the law, however, it is extremely unlikely that most website users would proactively consent to cookies such as website analytics cookies, which provide little or no benefit to them. This in particular could be extremely detrimental for millions of businesses who rely on tracking of the visits to their website in order to effectively manage their online marketing. The ICO is aware of this and, I believe, has sympathy with the predicament of website owners. Understandably the ICO would never publicly say that the law is wrong, however, last month the ICO stated publicly that it would not be prioritising its enforcement efforts against websites using Google analytics cookies without consent, provided that full information about the cookies was clearly and obviously available to users.
This makes providing definitive advice exceptionally difficult… can a lawyer advise clients that they probably don’t need to bother completely complying with a law because the agency that is tasked with enforcing it probably won’t come after them??
Ultimately our clients and millions of other website owners will need to decide for themselves whether, on balance, the information gained from cookies is important enough to accept the, seemingly small, risk of enforcement action from the ICO. If you intend to get consent for all non-essential cookies, and you haven’t put anything in place to do this yet, you should do so without delay. There are now quite a few different software products out there that can help you do this or, of course, you can build your own mechanisms into your website.
Even if you make the decision that the information collected by your cookies is too important, there are still some steps that you should take as soon as possible (if you have not done so already): - conduct a cookie audit; - remove any cookies that you don’t actually need, particularly if these are invasive in their nature; and - provide detailed information on your website about your cookies.
With luck, those measures will be enough to ensure that you are not a prime target for the ICO’s wrath, however, you should keep this under review in case the ICO’s policy changes in the future - it may become necessary to comply with the law much more strictly necessitating amendments to websites and collection processes. But who knows, maybe by then someone will overcome the oxymoron of a ‘non-invasive opt-in’ with a magical technical solution. We live in hope…