26 May 2011

Tea and cookies

Should the law demand the impossible?  

Today the law on cookies changes [1].
Cookies are small files downloaded to a user’s computer or phone when they visit a website or use an online service. Most are completely harmless, and many are essential to the operation of the site, or improve the user experience by, for example, recognising you when you return.
The new law, based on a change to the underlying European directive, requires the user’s explicit consent before a cookie can be transferred to his or her computer. But how is that to work? Government advice confirms that relying on the site terms and conditions is not enough; nor can you rely on the user having set the browser to accept cookies, as that is not specific enough. You must actually ask and get informed, explicit consent.
Easy enough, perhaps, if you have a site that requires people to register or log in; you can get their consent as part of that process. But what about a straightforward information website? The ICO guidance offers a few possibilities, but none of them is satisfactory. Use of pop-ups, for instance, is defeated by users with pop-up blockers. Banners are technically difficult to implement and take up precious space on the site. Demanding consents will put people off using your site, and may drive them to competitors who do not comply. A small business with a website hosted on its ISP’s servers often does not have any facility for the necessary technical measures, or for storing users’ consents. It will simply have to stop using cookies (including inspecting cookies provided by other sites). Many small businesses use ready-made website packages or authoring software and will have no idea whether their sites use cookies; they may have to spend money finding out.
Technically, the exchange of cookie information happens as soon as a website has been accessed – before any information has been displayed. How do you get consent without displaying any text? How do you check if a user has consented to inspection of the cookie on his computer without inspecting the cookie?
The ICO has said that it will not rigorously enforce the new law in the first year, allowing businesses time to comply. That in itself is unsatisfactory – either the law is in force or it isn’t. The regulations were only published three weeks ago.
But the main concern is that it is impossible to comply fully with the regulations. It is this sort of legislative mess that brings business regulation into disrepute, and encourages the impression of thoughtless legislation from Brussels.
The other change made by the regulations is to introduce a new power for the ICO to fine businesses up to £500,000 for breach of the rules. No surprise there.

No comments:

Post a comment

enter your comment or greeting