In IT circles at the moment, there is a frantic buzz as companies scramble to show compliance with the so-called “Cookie Directive” – implemented in May 2011, the Information Commissioner’s Office (ICO) of the UK gave an initial indication that they would allow a 12-month “grace period” for organisations to bring their websites in line.
That grace period ends on May 26th, and in true Agile/Lean/Just-in-time style, this means that many of these organisations are now looking to show that they are complying with the new requirements. The threat of fines up into 6 figures might have something to do with it – this new “cookie monster” has potentially very sharp teeth!
The aim of the “Cookie Directive” was to reflect a European Union requirement (the ePrivacy Directive) that all sites which use technology such as cookies must only do so on the basis of having collected “informed consent” from visitors to the site. The two key points from this are:
1) the requirement that users must be presumed to have refused permission unless they explicitly “opt in” – in contrast with previous legislation that allowed sites to presume they had received permission unless they explicitly “opt out”
2) the requirement that users can only be presumed to have given “informed consent” when they understand what they are doing.
The first requirement, in combination with the ICO’s advice that it is not acceptable to rely on browser settings alone (at least for the moment – there is talk that this may be revised as the big browsers release new versions reflecting the requirements…), is meaning that organisations have to think actively about how to go about gaining consent in an explicit manner.
The second requirement, by contrast, is making organisations work out how to state clearly, and in language comprehensible to non-technical website users, what cookies they have and what they do with them. This is having the beneficial side-effect of educating site owners as to what they are actually using cookies for (and perhaps introducing them to what they could be using them for…).
Whether this is classed as compliant by the ICO is one of many questions that remain to be answered, but as noted by Dave Evans, their Group Manager for Business & Industry, in an interview with EConsultancy.com:
“We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action … not all cookies are equal, and our enforcement approach will bear this in mind”
As with so many things in life, there are as many possible approaches as there are people looking at the challenge, but the International Chamber of Commerce (ICC) offers some interesting guidelines into cookie classification and suggested approaches to consent in their ICC UK Cookie Guide – the suggested approach to generating an “industry best practice” in there offers hope that once some approaches are shown to be compliant and work well, users will be able to expect some level of similarity in experience, all of which helps with the aim of them being more informed when making their decisions.
In the meantime, we can all exercise our creativity in working out how to provide the necessary information and gather consent from users, without excessive adverse effects on user experience.
A few examples of how it has been done so far:
– The ICO’s own site has a fairly basic interface
– Fife Council have a rather robust approach to highlighting the content inline, but their header bar gives fairly clear information as to what cookies they use and what the options are
– As might be expected of a large corporate entity, BT have a fairly graphically involved explanation of what is used.