"The internet as we know it today would be impossible without the use of … cookies," says BIS. "Many of the most popular websites and services would be unusable or severely restricted and so it is important that this provision is not implemented in a way which would damage the experience of UK Internet users or place a burden on UK and EU companies that use the web.
"The Directive acknowledges this by saying that consent is not required when the cookie is strictly necessary to deliver a service which has been explicitly requested by the user," it says.
That much is true; but that is not the problem for businesses in complying with this Directive. The problem is that they want to serve some cookies that may not strictly be necessary for the delivery of a service requested by the user, to make their advertising more effective.
Businesses consider this harmless to the user's privacy, but they fear that if they ask permission, at best they will interrupt the user experience at their website, at worst the user will refuse them permission to serve targeted ads and their business will suffer.
A business might argue that its website is free to use only because it is supported by advertising. If cookies are used in the serving of that advertising, can that business argue that the cookies are "strictly necessary" for the delivery of the website? Probably not, in my view, but it is an issue that BIS has avoided altogether.
"Given the fast-moving nature of the Internet, it would be very difficult to provide an exhaustive list of what uses are strictly necessary to deliver a particular online service and if we implemented in this way it would risk damaging innovation," BIS said. That sounds like a cop-out.
"We therefore propose to implement this provision by copying out the relevant wording of the Article, leaving ICO [the Information Commissioner's Office] (or any future regulators) the flexibility to adjust to changes in usage and technology," says BIS. "Recital 66 of the amending Directive provides useful clarification of the Article text. We are considering including appropriate elements of this in the implementing regulations."
Regurgitating the Directive's wording, without any further guidance, is not helpful. Recital 66 does not provide useful clarification of the Article text. If it was useful clarification, there would not be a disagreement between the advertising industry's trade body and the Article 29 Working Party on the question of whether or not websites have to ask visitors questions about cookies.
So the government has missed the first opportunity to clarify this law. It has passed the problem down the line to the ICO. Businesses must await guidance from the ICO, which may or may not match the guidance of the Article 29 Working Party.
It would have been a brave move for BIS to propose legislation that provides clarity and risk those infraction proceedings. But the government has done this before. BIS could have supported explicitly the view of the IAB or the privacy regulators, or it could have suggested a fresh interpretation of Recital 66.
A less courageous move might be to transpose the Directive word for word, maximising the prospect of harmonised confusion across the EU, but mitigate the problems by providing guidance on what the government thinks the law actually means. Weaker still: avoid the guidance, but acknowledge the problems that exist. Instead, BIS has fudged the whole issue. There's no problem here, folks. Move along.
If your business is affected by this issue, you can share your views with BIS by responding to its consultation paper (74-page / 377KB PDF).
Copyright © 2010, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
A fine illustration of Struan's loyalties this piece - I have never read such utter rubbish in my life.
What Struan meant to say is:
Industry don't want these changes because it obligates them to behave ethically and seek consent to track and profile.
Industry don't give a shit about how this impacts users, they only care about how it impacts their ability to cast a wide net for profiling - which is what opt out has allowed them to do for far too long.
Industry have no interest in finding a solution to the Opt In problem - they have had years to find that solution, I have even offered them the solution and they refused to engage. Rather they have concentrated on aggressive lobbying to try and devolve privacy regulation to allow them to do whatever they want without restriction. They have failed to do that and I warned them publicly almost two years ago and on multiple occassions since, that if they continued that line they would fail and be faced with a situation they are unprepared for - Opt In.
All this rubbish about browser control and the nonsense in recital 66 (which was written by industry sympathists) - browsers are NOT suitable for determining consent. Browser have zero control over flash cookies, they have very poor control over 3rd party cookies and with the news that HTML5 browser databases are now also being abused by advertisers they have zero control over those too. Furthermore, -everyone- knows (especially industry) that people rarely change default settings which is exactly why they have been fighting for Opt Out - the same is true with regards to browsers default settings.
Industry want to prey on the fact that as a general rule users are naiive and passive when it comes to online activities - they rarely take active control over how their browsing is managed and as such those browser controls are completely ineffective in managing user privacy.
Now my predictions have come true and they are in mad panic mode, lashing out with scare tactics.
Well I have one thing to say to you all - tough shit, you made your bed have the bollox to lay in it.
No. As Alex says, the default should be safety and privacy. There has been ample opportunity to do this in a self-regulatory manner and it has been repeatedly missed. Even things we should be able to trust such as Firefox has added things like SafeBrowsing and GeoLocation which leaks PII like a sieve. Enough is enough. Either respect users' privacy or laws like this will be needed. It's as simple as that.
Not completely correct ...
"most browsers accept cookies by default. "
I'm pretty sure the default on any recent browser has been to accept only FIRST party cookies by default. Third party cookies can and SHOULD be blocked by default and if that's not the current default for a browser then why not change the law to *make* it the default.
If that in turn breaks many sites, then that's probably a good thing. With a few possible exceptions, any site which "requires" a third party cookie is doing so mainly with the specific intent of invading the person's privacy. First party cookies, however, usually act for the benefit of the user -- remembering things that would otherwise have to be repeatedly rekeyed. Or they let the webmaster get some idea of how many users are returning regulars. If kept within the confines of a single site, it is no worse than the public library staff knowing who comes in frequently.
The law should understand the difference and distinguish sensibly between them, presuming consent to first party cookies if the browser has been set to accept them but requiring third party acceptance to be off by default.
But to work, the law needs to go further and insist that except in a few very rigidly defined cases a user must be *able* to use every site with third party cookies and scripts disabled. "This site requires it" is an *excuse*, not a reason.