The nonsense of the EU cookie law

CookiesThe following is the text of a letter I sent to the Guardian following the enactment of the new EU cookie law on 26th May. The Grauniad didn’t publish it and I meant to post the text anyway but had an extra prompt today from an article reporting that, a couple of weeks later, four out of five UK organisations are ignoring the law.

I manage several websites in various capacities and this law has been a great worry for firms ever since it was announced.

The likely interpretation of the law has been unclear and much (mis)interpreted, so even though all the sites I manage use cookies in a completely harmless way (for instance to anonymously keep a count of the number of visitors and page views, or to work a shopping cart), I’ve had to spend time auditing cookies, attending workshops, liaising with colleagues, clients, legal advisers and external suppliers, wading through the ICO’s own information and other articles offering their interpretations, and trying to update web content accordingly.

While you can’t expect web developers to work for nothing, I’ve found that some web development firms have taken advantage of the law to charge hundreds or even thousands of pounds to implement hi-tech cookie-control solutions – especially dubious when there is a duty of care to ensure a client’s website complies with law. And although there are open-source solutions available, technical knowledge is still required to put those in place.

One website I manage is for a small cheese shop business and for them to consider spending even a few hundred pounds on a developer to implement a cookie-control widget has been an unwanted distraction and concern for them, especially in this climate. They also depend on analytics software, which uses cookies, to see which parts of their site their visitors are viewing so they can interpret that information to improve the site and remain competitive. As the legislation has again been unclear on this, small firms especially have been stuck between a rock and a hard place in deciding whether to risk breaching the law to retain reliable statistics.

And only now in the past few days, after firms have spent time and money trying to comply, do we hear that most of the Government’s own websites won’t comply in time – this may not actually be surprising given the Government’s contempt for the Information Commissioner’s demand to release the NHS Risk Register, but it hardly sets an example to ordinary businesses and citizens who have no such ability to ignore the ICO.

To rub salt into the wound, the ICO’s Dave Evans announces the very day before the law is implemented that “implied consent” is acceptable and that he finds it “hard to imagine a situation in which we will levy a monetary fine”. The latter is especially disingenuous when the ICO have referred clearly on their website to their maximum fine of £500,000 in relation to this law and others within their remit.

Even though the law may have originally been well-intentioned to protect consumers from a minority of malicious website owners, the ICO themselves admit they won’t be able to monitor every website and so will depend on consumers reporting potential breaches – but when most average users don’t even know what a cookie is, what’s the likelihood of them knowing a website is in breach?

The ruling and its management has left ordinary, honest businesses confused and out of pocket, while normal consumers are as much at the mercy of malicious website owners as before. Both will feel the ICO, EU and Government have let them down.

Addendum: possibly the only good thing that’s come out of the law is the BBC’s fabulous retro photos on its privacy and cookies pages.