The following is the text of a letter I sent to the Guardian following the enactment of the new EU cookie law on 26th May. The Grauniad didn’t publish it and I meant to post the text anyway but had an extra prompt today from an article reporting that, a couple of weeks later, four out of five UK organisations are ignoring the law.
I manage several websites in various capacities and this law has been a great worry for firms ever since it was announced.
While you can’t expect web developers to work for nothing, I’ve found that some web development firms have taken advantage of the law to charge hundreds or even thousands of pounds to implement hi-tech cookie-control solutions – especially dubious when there is a duty of care to ensure a client’s website complies with law. And although there are open-source solutions available, technical knowledge is still required to put those in place.
And only now in the past few days, after firms have spent time and money trying to comply, do we hear that most of the Government’s own websites won’t comply in time – this may not actually be surprising given the Government’s contempt for the Information Commissioner’s demand to release the NHS Risk Register, but it hardly sets an example to ordinary businesses and citizens who have no such ability to ignore the ICO.
To rub salt into the wound, the ICO’s Dave Evans announces the very day before the law is implemented that “implied consent” is acceptable and that he finds it “hard to imagine a situation in which we will levy a monetary fine”. The latter is especially disingenuous when the ICO have referred clearly on their website to their maximum fine of £500,000 in relation to this law and others within their remit.
Even though the law may have originally been well-intentioned to protect consumers from a minority of malicious website owners, the ICO themselves admit they won’t be able to monitor every website and so will depend on consumers reporting potential breaches – but when most average users don’t even know what a cookie is, what’s the likelihood of them knowing a website is in breach?
The ruling and its management has left ordinary, honest businesses confused and out of pocket, while normal consumers are as much at the mercy of malicious website owners as before. Both will feel the ICO, EU and Government have let them down.
Addendum: possibly the only good thing that’s come out of the law is the BBC’s fabulous retro photos on its privacy and cookies pages.