Industry experts: ICO guidelines on cookies get cautious welcome

New ICO guidelines give leeway for a more nuanced approach to compliance, but some say more clarity is needed.

Guidelines issued by the Information Commissioners Office (ICO) on how to comply with new regulations governing the use of cookies by online retailers have received a cautious welcome by industry and legal experts. 

Changes to the Privacy and Electronic Communications Regulations (PECR) come into force on May 26, and are intended to protect consumers from unwanted marketing and an intrusive use of cookies that gather information about them.

Without explicit ICO guidelines, many companies feared the law would be too heavy handed and would make websites difficult or impossible to use.

The problem is that cookies have been fingered as the prime suspects for all privacy intrusion. It's like blaming cars for bank robberies just because criminals sometimes use them in their getaways.

Chris Barling
Managing director, Actinic

But the new guidelines issued by the ICO this week have helped to calm some of those fears.

“Cookies are strictly necessary for the operation of most e-commerce stores and many other online applications, and this doesn't impinge on privacy at all,” said Chris Barling, managing director of Actinic, a provider of e-commerce website software for small businesses based in West Byfleet, Surrey. “The only thing these cookies store is what the consumer has asked the website to do, such as add to their cart, look up a train time or plan a journey by air. The new guidance looks like it is starting to understand this fact, which is very welcome."

The ICO advice document is intended to help companies consider what type of cookie or similar technology their websites use, for what purposes and how intrusive their use is, and offers advice on what method for obtaining consent will suit them.

The change in guidance involving cookies means that consumers, who currently can choose to opt out of receiving cookies, will now have to provide explicit consent for their use -- a sort of cookie white-listing. This raised fears that many websites would become unworkable, but, as the ICO explains, the one exception to the rule is where the cookie is considered “strictly necessary.” For example, a website would not need to confirm user consent to use a cookie to ensure that, when users proceed to an online checkout, the site remembers the goods a user wishes to purchase.

“At last common sense has prevailed,” said Barling. “The key phrase from the new guidelines is ‘strictly necessary.’ The problem is that cookies have been fingered as the prime suspects for all privacy intrusion. It's like blaming cars for bank robberies just because criminals sometimes use them in their getaways.”

But Jon Fell, IT and telecoms partner at London law firm Pinsent Masons, warned that the law still needs to be clarified further. “Informed consent should mean you‘ve been given all the information and you’ve had an opportunity to think about it. And then you do something to indicate you’ve understood and agreed. In the context of a website, that’s unrealistic. It’s not in the nature of the way people use the Web,” he said.

The ICO is currently advising that browser settings are not enough to presume consent from a user, and that some other more explicit approach will be needed, such as a pop-up giving advice, or getting users to agree to terms and conditions when they first visit a site. But, as Fell said, few users are willing to read a long list of terms and conditions, and many browsers are set to block pop-ups. Furthermore, Flash video cookies are not stopped by browser settings.

Barling agreed: “Asking for every user visiting every e-commerce site to either agree to terms or agree to the use of cookies would undermine the whole purpose of the legislation, as it will lead to consumers thoughtlessly and automatically agreeing. In fact, it's worse, as rogue sites could benefit from this by getting users to give permission for things that are actually dangerous, under the guise of agreeing to the use of cookies.”

However, the ICO admits that the current guidance is merely a first stage, and that further consultation is taking place within the industry to find more practical solutions. According to the ICO, the government is working with major browser manufacturers to establish which browser-level solutions will be available and when. “For now, though, you will need to consider other methods of getting user consent. What is appropriate for you will depend on what you are doing,” the guidance said. “You should also consider the fact that not all of your website visitors will have the most up-to-date browser with these enhanced privacy settings. You would still need to gain consent for those users.”

Fell’s advice is that companies should at least start by reviewing current practice. “The ICO doesn’t expect people to be compliant by day one, but companies do need to have a documented plan,” he said. “Start by working out what you have and what you are doing. Where you have session cookies that are really necessary for your shopping cart or for Google Analytics, you have less of an issue than if you have persistent cookies, interest-based cookies, advertising and third-party cookies. No-one has an absolute solution, but the more transparent you can be on your site, the better it will be for you.”

Read more on Regulatory compliance and standard requirements