Without explicit ICO guidelines, many companies feared the law would be too heavy handed and would make websites difficult or impossible to use.
The problem is that cookies have been fingered as the prime suspects for all privacy intrusion. It's like blaming cars for bank robberies just because criminals sometimes use them in their getaways.
Managing director, Actinic
But the new guidelines issued by the ICO this week have helped to calm some of those fears.
“Cookies are strictly necessary for the operation of most e-commerce stores and many other online applications, and this doesn't impinge on privacy at all,” said Chris Barling, managing director of Actinic, a provider of e-commerce website software for small businesses based in West Byfleet, Surrey. “The only thing these cookies store is what the consumer has asked the website to do, such as add to their cart, look up a train time or plan a journey by air. The new guidance looks like it is starting to understand this fact, which is very welcome."
The ICO advice document is intended to help companies consider what type of cookie or similar technology their websites use, for what purposes and how intrusive their use is, and offers advice on what method for obtaining consent will suit them.
The change in guidance involving cookies means that consumers, who currently can choose to opt out of receiving cookies, will now have to provide explicit consent for their use -- a sort of cookie white-listing. This raised fears that many websites would become unworkable, but, as the ICO explains, the one exception to the rule is where the cookie is considered “strictly necessary.” For example, a website would not need to confirm user consent to use a cookie to ensure that, when users proceed to an online checkout, the site remembers the goods a user wishes to purchase.
“At last common sense has prevailed,” said Barling. “The key phrase from the new guidelines is ‘strictly necessary.’ The problem is that cookies have been fingered as the prime suspects for all privacy intrusion. It's like blaming cars for bank robberies just because criminals sometimes use them in their getaways.”
But Jon Fell, IT and telecoms partner at London law firm Pinsent Masons, warned that the law still needs to be clarified further. “Informed consent should mean you‘ve been given all the information and you’ve had an opportunity to think about it. And then you do something to indicate you’ve understood and agreed. In the context of a website, that’s unrealistic. It’s not in the nature of the way people use the Web,” he said.
The ICO is currently advising that browser settings are not enough to presume consent from a user, and that some other more explicit approach will be needed, such as a pop-up giving advice, or getting users to agree to terms and conditions when they first visit a site. But, as Fell said, few users are willing to read a long list of terms and conditions, and many browsers are set to block pop-ups. Furthermore, Flash video cookies are not stopped by browser settings.
However, the ICO admits that the current guidance is merely a first stage, and that further consultation is taking place within the industry to find more practical solutions. According to the ICO, the government is working with major browser manufacturers to establish which browser-level solutions will be available and when. “For now, though, you will need to consider other methods of getting user consent. What is appropriate for you will depend on what you are doing,” the guidance said. “You should also consider the fact that not all of your website visitors will have the most up-to-date browser with these enhanced privacy settings. You would still need to gain consent for those users.”
Fell’s advice is that companies should at least start by reviewing current practice. “The ICO doesn’t expect people to be compliant by day one, but companies do need to have a documented plan,” he said. “Start by working out what you have and what you are doing. Where you have session cookies that are really necessary for your shopping cart or for Google Analytics, you have less of an issue than if you have persistent cookies, interest-based cookies, advertising and third-party cookies. No-one has an absolute solution, but the more transparent you can be on your site, the better it will be for you.”