Cookie law - will it rumble or crumble?

Since its announcement in 2011, and implementation last May, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 - aka 'cookie law' or 'cookie directive' - is proving some of the most contentious IT legislation from Brussels to come into force in the UK.

The directive was intended to ensure that 'consumers' of Web-based information are customarily informed when a website they are visiting has downloaded a cookie onto their PC. A cookie is usually a small piece of data sent from a website and stored in a web browser while a user is visiting that website. If the user browses the same website again, data stored in the cookie can be retrieved by the website to apprise it of the user's previous activity. The directive amendment is primarily aimed at ensuring that consumers are fully aware that their browsing habits are being monitored and checked, and also that website owners are retaining the data about them.

Many UK website owners have complied with the requirement: anyone browsing sites owned within the EU will have noticed a higher incidence of cookie alerts popping up. Some appear discreetly in a corner of the page, others more intrusively.

"The law was meant to protect the privacy of people using the Internet. To accomplish this the EU made over 90 per cent of websites illegal," Oliver Emberton, managing director of software firm Silktide, has declared. This recurrent popping-up of standard information is, however, one of the reasons why the directive has drawn criticism and opposition from many quarters. Online communities feel that they may not only prove an irritant to online users, but may actively deter them from 'entering' online stores, or make them suspicious of otherwise legitimate sites.

The problem is that, although once an optional extra for most websites, cookies have become a vital aspect of Web functionality and service delivery, as well as providing much of the core data used by Web analytics tools that reveal valuable statistics about Web usage, for commercial and non-commercial applications.

"Websites could stop using cookies, but generally only by losing some functionality on their site," Silktide's Oliver Emberton continues. "Because cookies are so ubiquitous, this isn't easy." Like some other cookie-law critics, Emberton believes that most Web users care neither about cookies, nor the fact that their browsing habits may be tracked for whatever reason. In plain terms, when the various purposes of cookies are explained to them, it is something that they are willing to accept given the convenient functions that cookies also serve, such as setting user preferences, and 'add to basket' functions on retail sites, say.

Emberton has directed some critical attention at the Information Commissioner's Office's (ICO's) guidance on this issue. "The vast majority of user preferences are privacy-neutral: preferred font size, or what order they would like their news articles to be displayed in, [for example]" he says. He would argue "that if a user sets a preference for a website, say by clicking on a button, that they 'explicitly requested' a service, and that to provide that service cookies are 'strictly necessary'."

The alleged failure of the cookie law to take into account the specific subtleties of cookie usage has has put it in the light of a draconian measure that does not take account of the consequences both predictable and unforeseen. Few pundits would question the EU's earnest desire to protect Web users, and to make cyberspace a safer place to roam; but for many observers the directive's amendment simply goes too far by its blanket application to all cookie usage.

"There may, of course, be unforeseen consequences of the enforcement of this legislation, but, in my opinion, the really big issue [is] 'consent'," says Dr Rosi Armstrong, researcher at the Centre for Secure Information Technologies. "The point of the European Commission (EC) updating this legislation was to tackle the issue of the use of third-party cookies to track Web users across multiple websites [and serve them relevant but unrequested adverts]."

However, the EU's decision to legislate for all cookies, including 'first-party' cookies, which do have many legitimate and useful purposes, has led to much industry outcry, says Armstrong; so, as the UK was obligated to bring the directive into force, it has, she suggests, mitigated the impact of the legislation to satisfy industry by allowing 'implicit' consent to the use of cookies: "So, a website can now display a cookie notice such as 'This website uses cookies. Cookie information can be found by clicking here. You can accept or reject our cookies by clicking here, if you continue to use our website we will assume that you accept our use of cookies' [and] the result will be that most users won't read the information about cookies, and will just continue to use the website and continue to receive cookies."

This is not very different from the situation under the previous cookie rules, adds Dr Armstrong, where information about their use was usually found in privacy notices, which "were not read by the average user, and user consent was implied from their continued use of the website".

She adds: "At this time I can't see that there will be many 'operational consequences' as the enforcement of the legislation starts to bite, as the purpose of the law has been largely circumvented. It will be interesting to see if the EC (who have not been keen on 'implicit' consent) and other Member States will take the same stance on consent as the UK. I would not be surprised to see disapproval from the EC."

Cookie jars

However, the recent hullabaloo around the latest cookie legislation has also stirred debate about the changing nature of customer relationships online. Cookies have over the last three years become an integral 'hook' in enabling multichannel retailing. At the same time, and in spite of the added complexity that new regulations bring, cookies remain a valuable tool with a myriad of uses for thousands of businesses big and small.

Alleged ambiguities in the directive, and in how the ICO's interpretation has been relayed to UK website owners, have also attracted attention from the legal sector. Consumers are increasingly savvy about their privacy rights, and how their data is used for their benefit and well aware of their rights to remove consent, suggests Kim Walker, a lawyer at Thomas Eggar.

"[E-tailers now operate in a] multichannel environment: social network communities, location-aware devices, mobile apps, and the monitoring of what customers are saying about retailers on social networks, are all creating the need for a more sophisticated approach," Walker says, "and a data protection and e-privacy protocol that creates a totally safe environment for a brand and its customers to interact."

James Mullock, data protection partner at law firm Osborne Clarke, describes the ICO's redefinition of the implications of 'consent' as "a great help, but it's only a UK position and it still leaves website owners in the position of having to both understand what cookies they use, and also to undertake web-design gymnastics to explain the position and get consent from users."

Many multichannel retailers are exploring the use of social networks, Thomas Eggar's Kim Walker adds, and how they can create online communities of shoppers who are already known to like the brand: this form of social support creates an enormous opportunity to interact with customers, but it also opens brands up to the accusation of going too far in their relationship with the consumer. Cookie deployment is at the heart of this relationship.

Online advertisers are another interest group likely to be disinclined toward fully-legislated cookie usage: any factor that causes click-through banners to present obstacles to the experience will be unwelcome.

"Cookies are a key part of many online businesses - they help websites to perform better, and can eliminate time-consuming tasks such as re-entering address details for our online shopping," observes Vinod Bange, partner at law firm Taylor Wessing. "Without doubt this new directive will be a cause of concern for advertisers, especially online advertisers, and the retailers that use advertisers for additional revenue and to refine sales conversion. This is a growing industry which will be heavily impacted if the directive is fully and inflexibly enforced."

Thomas Eggar's Kim Walker gives another example of how implementation of the directive could change customer relationships: "Imagine a scenario where a customer is a fan of a company on Facebook and then checks in to a branch on Facebook Places, allowing the company to text them a voucher valid for one hour. There is no problem with data protection in this context, just so long as the Facebook page makes it clear that being a fan means receiving vouchers. Indeed, most customers would probably want that anyway. The problem comes when retailers either ignore or do not understand the complexities of online marketing."

The fact that the UK has more stridently implemented the cookie law while other affected EU member nations are perceived to have blanked it is another cause of ire - especially for UK online retailers who feel that compliance risks disadvantages their competitive stance against non-compliant competitors. "Given that the rest of mainland Europe is yet to take this directive seriously, it is a shame that 'UK Plc's online economy is being jeopardised," warns Taylor Wessing lawyer Vinod Bange. "Such red tape may also result in start-ups choosing to 'start-up' outside of the UK, which goes against the government's [...] support of high growth business centres such as London's Tech City."

An obvious result of the whole "debacle" has been the hardening of the EC's view that data protection laws should be uniform across the EU, says Osborne Clarke's James Mullock, "so future regulation will likely be introduced without allowing Member States to hone the rough edges left by the same law makers who proposed the Cookie Directive. I'm afraid that the future looks likely to feature more business-unfriendly laws with less scope for practical local workarounds (like implied opt-in consent). Business will at least have a harmonised set of laws to comply with, not a patchwork quilt of different approaches to the same law." One of the most ardent critics of the cookie law as it stands remains Silktide managing director Oliver Emberton, who has authored what claims to be a 'definitive guide' to the issue that'covers the main objections to the extant legislation. Emberton's 42-page document, available online, sets out the reasons why he thinks the law is flawed, but in the interests of balance, also looks at the pro-cookie-law arguments, and puts forward some possible solutions to the situation.

"No one wants to add [cookie consent messages] to their website, and most visitors are unlikely to be happy about it either," he writes. "When [I] started writing 'EU Cookie Law - the Definitive Guide', [I] tried to be neutral, but that rapidly became impossible," he stated. "[I] don't agree with the law - at least [not] in the way it's written now. It comes over as a technically illiterate shambles. It was impossible to research the new cookie law without developing a thorough hatred of it." 

Further information

• silktide.com/
• www.csit.qub.ac.uk/
• www.thomaseggar.com/
• www.taylorwessing.com/
• www.isaca.org.uk/