Have Too Many Cookies Spoiled The Broth?

May 26th saw a year pass since the introduction of the new ‘cookie rule’ under PECR but still a few things stand out. How many companies have taken this on board and actually done something about it? How many consumers really understand what it is all about and are happy with the consenting system? Then there are the facts thatBelgium,Denmark and theNetherlands are still to implement anything and are now looking at sanctions from the EC. 

So how many companies have complied? It is hard to say as there does not appear to be any controlling function that tests websites for cookie compliance. The ICO has made some investigations and it seems some are struggling auditing their cookies due to the vast number of them whilst others are still setting their plan in place. ICO has also published guidelines on what companies should already be doing, but are they? If they have not got cookie controls in place then they must have a firm plan for implementation and a short term compliance completion date. Failure to do so could end up with formal undertakings or enforcement action being taken by the Commissioner.

The new legislation requires that positive consent is required to place a cookie onto a users PC. This has been vigorously campaigned against by many data administrators as being overkill and likely to result in nobody allowing cookies. These fears seem to be unfounded as more and more users seem to be allowing the cookie to be planted but do they actually understand why they are allowing it, or is it just to allow them access to certain websites? I for one am happy with the new regime, my website does not place cookies and I am now able to manage them much easier and my laptop seems to be operating a lot faster for it too, but that is probably just coincidence……

The ICO guidance for companies has a few interesting stats about consumer awareness of cookies from a study of 1000 users.

  • 41% were unaware of the different types of cookie (first party, third party, Flash/Local Storage)
  • 50% were aware of first party cookies
  • 13% fully understood how cookies work
  • 37% had heard of cookies but did not know how they worked
  • 2% had not heard of cookies before the survey
  • 37% said they did not know how to manage cookies on their computer

This goes to show just how important the new regulations are as some of those stats are scary numbers and, just like with other new technology, the users have to be taught how it all works so they can decide what they want to do. In the interim it would seem that the planting of cookies will continue unabated for several years until the public get wise to what is happening.

The guidance given by the ICO is, as always, very informative but again, as always, very long winded and in some places open to interpretation. One point made very clear is that of the First principle in that all users of a website must be able to understand what is going to happen to their information, both obvious and hidden in the cookie action. Implied consent is becoming a thing of the past as the public are being given back control of their personal information again. Is that really as bad as the industry is making out? Surely if the consumer has more control then they will have more confidence in websites that are complying with the act won’t they? All that will happen is that the more unscrupulous websites will be found out and lose out, and is that also such a bad thing? Do we actually want companies harvesting and selling on our personal data and likes to all and sundry? I certainly don’t want this and would suggest that this would be the same for most of the general public, which I am also part of….

Another important part of this is making sure the explanation about the cookies is in plain language and not couched in techno-babble, as I found on one site that I promptly turned off the cookie for! Which brings me on to another important area, the ability of the user to be able to turn off cookies that they had previously had turned on. This means that your cookie statement should appear at every occasion a user accesses your site, not just random appearances, to enable them to withdraw their consent if they wish. I have seen quite a few websites where this is not happening and, if yours was one of them, you will have received an email from me explaining why I will not be using that site again. Just because it is electronically handled it does not mean the user has lost their rights of consent, rather they should be enhanced to ensure compliance. I remember back in the ‘old days’ when direct marketing companies harvested names and addresses (now this is pre-email….) and there was a massive selling on of these to anyone who wanted to pay for them. The consent or tick-box soon followed and we had some regulation over how our data was used, all that has happened is that this time it is electronic. A lot of businesses went on about the cost of making this change, exactly the same arguments as 25 years ago, but it will soon pass and we will have something else to worry about…..

The ICO has also published a webpage for the public explaining what cookies are and their rights. They also explain how to control cookies and where to get further information. A link to this is at the end of this text.

We are now hearing that three of the EC regimes have not started compliance work or are nowhere near completing it and they now face legal sanctions. It will be interesting to see what the ECJ do in this case as there are talks of daily ‘fines’ being issued until the legislation is enacted in these countries. What this space!!

ICO Guidance on the EU cookie law / e-Privacy Directive –  V3, May 2012

Cookies – Advice For Members of the Public – ICO


About KPG Professional Services

Kevin has been working in the Data Protection field for over 20 years with The Post Office, Royal Mail Marketing, The Royal Bank of Scotland and Glasgow Housing Association Ltd. He is also trained in the Freedom of Information (Scotland) Act 2002 and has supplied expertise and support in this discipline for the past 4 years. In his leisure time Kevin is a presenter on Hospital Radio, an SRU rugby referee and referee coach and also the stadium announcer at McDiarmid Park for his team St Johnstone in the Scottish Premier League.
This entry was posted in Cookies, Data Protection, Fair Processing, ICO, Information Commissioner, Information Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s