Cookies Must Crumble Before May Is Out

The ICO deadline for cookie compliance is upon us but there is little evidence of action and fines could mount up on 26 May, warns Eric Doyle

If there is an uncomfortable feeling in the back of your mind that May, 2012, is significant, it could be that you’ve been putting off adding cookie alerts to your websites.

The year of grace granted by the Information Commissioner’s Office (ICO) comes to an end on 26 May and all sites will then be required to comply with the Privacy and Electronic Communications Regulations. That means any sites that do not warn visitors that a cookie, or set of cookies, will be fed into their systems and offer the option to refuse the offer will be liable to a slapped wrist and probably a fine.

Track off

The regulation was brought in to allow Internet users the right not to be tracked as they surf around the Web. For years these tiny text files have been planted on systems to enable users to be recognised when they revisit a website to “enhance” their experience.

Properly used, the cookie is a blessing. It allows a site to “remember” user preferences and to keep a record of actions taken on the last visitation. Unfortunately, some cookies are shared between different websites and allow a user to be tracked as they move from site to site and this record has been used to construct a profile of users’ surfing habits and to target advertising – or junk mail as it turns out to be more often than not.

According to Kim Walker, a partner at law firm Thomas Eggar, companies have been tardy in responding to the ICO’s wishes. A survey conducted almost three months ago by Ctrl-Shift found that none of the top 100 retailers had fully complied with the requirements.

“Despite this apparent laissez-faire approach, the fact remains that each business still needs to carry out its own assessment of how it uses cookies,” she said, “and then tailor its solution to that use and to its customers. Merely waiting until the end of the lead in on 26 May is not going to be acceptable and the Information Commissioner’s Office has issued clear guidance during this year, in which its states that it expects website owners to have carried out that audit as a minimum.”

The ICO itself has been setting a good example by being compliant for just over a year now . Visitors to the site are met with a clear request: “The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our privacy notice.” A hyperlink on “privacy notice” takes the user to an explanation of what the cookie does.

If anyone is trusting of the ICO, they can simply tick a box and the cookie is delivered. Those who choose not to accept the cookie will be nagged every time they visit. Perhaps “nagged” is a little unfair because it just means the request continues to appear at the top of each page and can be ignored.

Brownie points

Walker gives an eight-point summary of the ICO’s minimum requirements as an action list:

  • Any cookies which show creation of detailed profiles of an individual’s browsing activity should be clearly identified to users
  • Determine what types of cookies are used on a website, on both an individually identifiable and anonymised level
  • Analyse how those cookies will be used and for what purpose
  • Remove any outdated/unnecessary cookies
  • Assess how intrusive the use of cookies will be for the visitor
  • Decide on best solution to obtain consent
  • Evaluate the likely business impact of users exercising their right to remove consent
  • Ensure that the current privacy statement on the website is updated in line with the new regulation

From an owner’s point of view, the seventh point about the business impact is important. In the past, cookie blockers have been used to prevent the download of any cookies from a site. This can have serious effects by making the site unusable. A common effect is that the visitor is redirected to a page that explains how to turn cookie acceptance on – and will not allow access otherwise.

Such barriers can be annoying and, to be fair, is damaging to the website owner because potential customers may be driven to the more-forgiving site of a competitor.

“In spite of the layer of complexity that the new regulations bring, cookies remain a valuable tool with a myriad of uses,” Walker said. “The thousands of businesses and organisations affected should not be overly daunted. Consumers are increasingly savvy about their privacy rights, and of how their data is used, and well aware of their rights to remove consent. Businesses that choose to flout the new regulations risk not only hefty financial penalties but also the ensuing negative perceptions of non-compliance.”

She added that well-prepared companies would benefit from the positive public relations points gained for best practice cookie usage and transparency. Non-compliant companies are likely to gain bad publicity as fines are imposed.

So 26 May should be ringed in red on every webmaster’s calendar. It may be a lot of hack work for some but failure to tackle the cookie monster will offer no crumbs of comfort.

How well do you know Internet security? Try our quiz and find out!