This content was originally published at Kyan’s blog at http://kyan.com/blog/2011/5/31/the-lurking-cookie-monster, but is no longer available at that location. Reproduced here with permission.

The lurking cookie monster

Ever heard of the Privacy and Electronic Communications (EC Directives) (Amendment) Regulations 2011 (Regulation 6)? If not then it‘s perhaps more likely that you’ve read news stories about how cookies are going to be banned. Sensationalist? Only a little.

It’s fair to say that the web industry as a whole hasn’t been very good at dealing with its own privacy problems. Tracking networks are rife, opt-out systems seem to be optional, and turning off cookies entirely breaks whole sites. Yet turning off cookies is exactly what the ICO (Information Commissioner’s Office) wants us to do. Or, to be more specific, they want each and every website to OK to use of each and every cookie used (with the exception of ‘essential’ cookies – e.g. a cookie that tracks what you have in your shopping basket). This, from a user experience point of view, is arguably worse.

Theoretically, browsers already supply the ability to solve this problem, but if the legislation is a sledgehammer to crack a nut then browsers’ ability to turn off cookies completely is a wrecking ball. Mozilla and Microsoft are at least trying to solve a similar problem, albeit in a different way. They’ve adopted a ‘Do Not Track’ header sent with every request that tells the server whether the user accepts being tracked or not. Obviously this doesn’t force the server to do anything, but using the user’s stated preference is a way for industries involved in tracking to adhere to the spirit (if not the letter) of the EU act. As an aside, it’s interesting that all the major browser manufacturers have adopted DNT with the exception of Google, who run a tracking network (there’s an unresolved bug on this issue in the Chromium bug tracker).

Bigger companies are more likely (as with accessibility legislation) to have legal action brought against them. This post on econsultancy.com by a senior marketing manager at Tesco.com illustrates well the confusion caused by the act and the lack of workable guidance that the ICO has given so far.

Although the legislation came into force on the 26th May 2011 it was obvious that no-one was ready. Even the Prime Minister’s site (Number10.gov.uk) gives you no options to turn off cookies and their privacy policy proudly proclaims they use cookies to track you. Even the ICO themselves claim that a cookie they set is necessary for the running of the site, though this is a software limitation and not directly related to an action the user wants to accomplish.

Luckily, the ICO does seem to be fairly responsive and a day before the legislation came into force issued a press release in which the Information Commissioner, Christopher Graham, stated:

“I have said all along that the new EU rules on cookies are challenging. It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups – and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them.”

[…]

“So we’re giving businesses and organisations up to one year to get their house in order.”

Communications Minister Ed Vaizey also stepped into the fray with an open letter. Here is an interesting passage:

The Government response also set out proposals to continue to work with browser manufacturers to see if browsers can be enhanced to meet the requirements of the revised Directive. Account for this has also been made in the drafting. As was made clear in that document, default browser settings could not be considered to meet the requirements of the Directive. It is for this reason that the development of enhanced browsers that meet the information requirements of the revised Directive are being pursued in collaboration with industry.

As per usual, fixing this comes down to being pragmatic. While the exact wording of the act may seem restrictive there is obvious value to users in greater privacy. Even if people don’t follow the act to the letter, anything that persuades site owners to pay better attention to what they and their 3rd-party vendors are doing is a good thing for businesses and customers alike. From an agency point of view, over the next year we hope that the legislation accomplishes three actions:

No-one’s going to be perfect from the start, but it’s an important conversation to have.