ICO blog: half term report on cookies compliance

Back in May this year, we published advice on how to comply with the revised cookie rule. The rule had just been implemented as part of the review of the ePrivacy Directive. In the advice, we set out what the law said, what it required and what it means for those who have to comply.

Some people were moved to suggest that the Information Commissioner’s advice had “killed the internet”. They were wrong in two ways: compliance with the law itself, not our advice, presented the biggest challenge to how things work; and, of course, the internet is still very much alive and well. But more measured reactions, from people who felt that compliance would be difficult and would take time, money and effort, reflected our own views at the ICO. As we said at the time, “implementation of this new legislation is challenging and involves significant technological considerations.” We recognised that compliance could not be achieved overnight, that we could not simply switch off the internet and start again and that really good practice would only emerge once everyone had time to think of and develop innovative ways of giving more and better information to users to allow those users to make informed decisions about their online activity.

What I want to see are good solutions rather than rushed ones and that was why, when we published the guidance, I made it clear that there would be a 12 month lead-in period during which it was unlikely that the Commissioner would take formal action against organisations who were not complying with the new law. This was not a suspension of the law and I did not rule out taking action where there was an egregious breach but it is not good regulation to punish people for things they do not yet understand or where the tools for compliance are in development.

We are now halfway through the lead-in period and this half term report is intended to give the ICO’s view of what has been done and what still needs to be done. It should be read in conjunction with the updated version of the advice which we have published and which answers many of the questions we have been asked over the past six months. The report can be summed up by the schoolteacher’s favourite clichés: “could do better” and “must try harder”. A report that listed the URLs of sites that were perfectly compliant from day one would be very short indeed. This is not a surprise to anyone who recognises that redeveloping and redesigning is no easy task.

There are, however, good things being done. I cannot endorse specific products or services but I do feel that it is important to mention that there are people going about this the right way. I am glad to see them following the advice, setting the standards and, of course, learning as they go because if someone else contacts my office wanting to know how to comply, it is much better for us to point them towards an example of something that really works than simply tell them what we think might work.

Finally, I want to make it clear what will happen after 26 May 2012, the end of the lead-in period. There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there. If you are working towards compliance and following my advice then keep going. If you haven’t started yet, you need to be reading the advice, speaking to your peers, looking at how other websites inform and empower their users. But if you have decided that this is all too difficult, that you don’t want to give your users choices about how your web pages might collect information about them or that you will get around the law by wilfully misleading people about what you do and how you do it then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.

Overall impressions

  • It would be naïve in the extreme to suggest that every website is well on the way to being compliant with the new rule.
  • If your website uses cookies and you are not doing anything to get consent then you are not compliant.
  • People have not been slow to express their alarm at what this new rule means but they have been slow to demonstrate what they are doing to comply.
  • There are, however, pockets of good practice, people who are tackling the practicalities of compliance in a way that demonstrates they want to be open and honest with their users and take account of people’s preferences.
  • The ICO’s response to those who claim that following good practice advice is impossible will be, “if they can do it, why can’t you?”

Specific feedback

“Consent is impossible online.”

Really? Here are some examples of perfectly valid consent for things other than cookies – why not adapt some of the methods you use to get indications of users’ wishes for other things such as agreement to terms and conditions, remembering settings or confirmation of the type of service they want?

“It will take years to comply.”

No-one is pretending that it can be done overnight but there are some ‘quick wins’ to be had and these are set out in our updated guidance. Remember also that part of the new rule is a requirement to give clear and comprehensive information to your users about cookies and that this requirement has been in place since the 2003 Regulations came into force; if you are struggling with this part of the rule you are seriously lagging behind.

“People never read the cookie information anyway.”

If you were frustrated that some of the content you offer on your website was not being read, wouldn’t you think of ways to make it more visible? Saying no-one reads the privacy policy and linking to it in the footer of the page in tiny font is not good enough.

“Consent needs pop-ups and everyone hates pop-ups.”

Pop-ups for every cookie would be a pain and they might not work for everyone but lots of websites use pop-ups, splash pages and the like for other things like marketing, surveys and notification of changes to the website so why are they such a bad idea for cookies?

What we have seen

  • If you are wondering where to start, some organisations have been using the simple bullet point list in our advice or a version of it as a guide to assessing what needs to be done.
  • People have come forward and sent us their ideas. These range from comprehensive cookie management tools for webmasters to cookie consent buttons to banners asking users about cookies.
  • Many of these tools are already available – we can’t endorse specific products or services but look around and decide whether any of them work for you.
  • People are collaborating at industry and sector level. Some are looking to develop text that ensures users will get understandable and consistent messages about cookies across lots of different domains.
  • Browser manufacturers are developing tools which will allow consent for many cookies to be built-in to the user’s settings.
  • At the more complex end of the spectrum, those involved with online advertising are looking at how best to inform users about how particular content is served and what options are available.
  • Many of these examples might not, on their own, be enough to make you comfortable about your own compliance but they are all genuine attempts to deal with the issues raised by the new law and we want to see more of them.

What we have done

  • This report is to be read alongside an updated version of our advice (the earlier version was published in May this year).
  • There are no major revisions and the main thrust of the advice – audit, prioritise, create – remains the same.
  • We have, however, tried to answer as many of the questions that have been asked over the last six months and the main revisions you will find relate to the following areas: what is “strictly necessary”, analytics cookies, our regulatory priorities, examples of what works, details of what a cookie audit looks like.
  • We have also been speaking to the people who are trying to comply – we want them to understand what we want to see so that they know their efforts are worthwhile.
  • We have been in regular contact with other regulators and with UK government about what we see as the likely impact of the changes.

ICO aims

  • We will allow for a greater focus on wilful non-compliance by letting those who are making genuine attempts to comply get on with the job without unnecessary interference from the regulator.
  • We will further reduce the burden on those trying to comply by ensuring that our response to complaints recognises ongoing work.
  • We will give realistic and practical advice to those who ask for it.
  • We will be clear about how this work fits in with our strategy on regulatory action.
  • We will apply the rules consistently.

What the ICO expects of you

There is no silver bullet and we are not expecting you to invent one. If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take. Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.

Two general questions that might help in this regard might be, “is my website doing anything that my users don’t know about?” and “am I confident that I am giving them appropriate options?” Your confidence might stem from the fact that you have switched all your cookies off until users tell you to switch them on again. It might stem from the fact that many of your users are registered with you and as part of the registration process they have indicated to you that they are happy for your site to work in a certain way. Or it might stem from the fact that your users will know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.

The first option is the safest one. The second is just as safe provided that you are honest and upfront with registered users and that you can rely on the fact that they have made an informed decision to click that “Agree” button. It also, of course, only applies to some of your users – how will you ensure that the one-off or casual user is not left with a browser full of persistent and unwanted cookies?

The third option relies on a lot of factors that might be out of your control such as the general level of user awareness. You can and should, though, do whatever you can to demonstrate your compliance. Three things will help: following the ICO advice, looking for and implementing the ‘quick wins’ and keeping an eye out for industry or sectoral standards and codes. After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask “if they can do it, why can’t you?”

If you’d like to get in touch with feedback or comments please find us on Twitter @ICOnews or email blog@ico.gsi.gov.uk

Christopher GrahamChristopher Graham, Information Commissioner, has a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws.
This entry was posted in Christopher Graham and tagged , , . Bookmark the permalink.