Tag Archives: cookies

Implied consent for cookies

This week is Cookie week and ICO have already been busy getting their marketing machine drumming up awareness with several articles written by the BBC with numerous sound bites about what people should have done, should be doing, will need to do in the future.

XX has conceeded this is not an easy area to work in. Major sites use a vast majority of cookies for various needs and that evening auditing these is a massive challenge commercially.

The most significant nugget that I read today was that there is now an accepted level of implied constent from the user. We call me a total pleb who has never been on the internet but haven’t we been doing that since the very start? By looking on the website you accept the terms of usage and in most cases ignore the link in the footer which tells you what that actually entails.

My stand point is this.

  1. This is only relevant in the EU and websites are global
  2. We’ve always had privacy policies which said cookies were used

So how can you be compliant with this complete farce of a law? Simple just write a bloody good privacy policy. This law is bullshit and it has been from day one. It doesn’t come down to impact on the user experience which is what many industry loud mouths have been spouting off over. It comes down to it being sodding expensive to go through every site that provides service to people in Europe and audit them for a technological device that nobody even knew about let alone gave a shit about until somebody started threatening financial fines.

I will be encouraging all of my associates to update their privacy policies with encouraging and information plain English content instead of legalease and telling them to do absolutely nothing else.

UPDATE:

This is taken from the ICO blog (http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx)

First issued in May 2011, the guidance has been updated to clarify the following points around implied consent:

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Cookie law needs to go to the browser

In May a new law will be introduced in the European Union requiring websites to provide an opt-in policy for the use of cookies. This poses serious concerns over a number of areas of our experience on the web potentially making every site a negative opt-in experience.

There a already a number of concepts on how to get acceptance for your site to use cookies most of which are offensive to they eye with a few putting up quite extreme brick walls before you can continue to your destination. A good example may be bt.com, by ignoring an acceptance you effectively accept the use of cookies and the site will function as it always has. This is not keeping true to the requirements essentially making it an opt-out experience, one which I think most would prefer, but visually it does something quite engaging.

The law itself has been poorly written, overly complicated and doesn’t seem to have any solid reason or foundation for its existence.

Recently, articles have started to appear with guidance on what you should be doing in preparation. On the whole this has involved audits of what you’re using cookies for, writing them up in plain English for people to understand and updating your terms and privacy policies with the relevant information.

Why should we?

The idea of every site now having to provide some form of opt-in mechanism to work is lunacy. There are exceptions to the rule mainly sites using cookies for transactional purposes but it has yet to be clarified whether this will include tracking cookies.

There is a far simpler solution and in part it already exists.
To this day browser vendors still place options in the browser to disable javascript. Why not do the same for cookies?

There are billions of web pages and only a small number of browsers. To expect millions of people to fall in line with a law when it can be globally resolved by asking the assistance of the browser vendors would seem a logical solution.

The other glaring question is how to ask an international community to comply with a regionalised law. Virgin have started to do this with their blog, which is in its own right an eye soor.

I cannot see that little blog based out in Australia updating to meet these rules. What happens then? Will we have an EU firewall, shutting off sites that don’t comply?

Cookie Wars .net response

I wrote a response to the article on netmag regarding the forthcoming laws on cookie dropping in the UK/EU.

Here is my comment:

As an industry we have seen these kind of regulations before and they get cast aside with great ease.
There is no internet police force because it would be like policing a nation of billions.

This is no different to the laws on enforcing triple A sites or more relevant the use of javascript.

There is nowhere for this argument or regulation to go except for browser side. The fact that it wasn’t pushed there first is appalling. If you want to control the behavior of a website you do it with the viewing device not the site itself.

Think about your TV. If your favourite show comes in looking too orange, do you ring the network and tell them they’re streaming in a colour tone that doesn’t quite suit your taste? No, you grab the remote and change the saturation.

The browser is where this needs to happen purely by numbers, less browsers than sites/pages.

http://www.netmagazine.com/opinions/cookie-law-gnarly-truth#comment-3925