The Cookie Law is Not Dead

There has been a growing number of people in the weeks since the cookie law ‘deadline’ passed on May 26^thcoming out to declare both the failure of the ICO to enforce it, and its resultant death-by-apathy.

.net magazine ran an article by Craig Grannell, relying heavily on the views of Oliver Emberton of Silktide and his latest video.  In the interests of balance, I thought it was time to examine these arguments in more detail.

First, it is important to note that Emberton is a big campaigner against the cookie law itself.  He started an online petition to try to get rid of the law – so it is fair to say that he would like people to believe it is at risk of dying, even if it isn’t.  

The main arguments placed for the doom of the cookie law are these:

• Most websites have yet to do anything to comply
• In 4-6 weeks, the ICO appears to have done nothing to enforce it
• There are no ‘clear benefits or penalties’
• It is very difficult for users to make a complaint
• The law is effectively unenforceable

Many of the biggest sites have made some kind of change – even if it is just a cookies ‘information only’ message that offers nothing in the way of user control or choice.  It is not great, or in the spirit of the law – but it is a start.  We know that consumers are becoming aware and reacting to these messages.   We also know that what high profile sites are doing is influencing the ongoing take-up by smaller businesses.

Although there are stories that people don’t like the intrusion and are often clicking messages away without reading them – we don’t yet know how accurate that is, or even why people are reacting this way.

There is lots of evidence to suggest that people are concerned about their privacy, and want to be able to do something about it.  They want to choose who to trust, and who is allowed to collect their information.  Perhaps the message so far is wrong – people feel that they are not being given enough information, the right kind of information, or reasonable choices to make.  We cannot assume at this point that they are just not interested – as those campaigning against the law would have us believe.

As for the ICO – they told us that they weren’t going to be heavy-handed with enforcement of the law – so it is hardly surprising that we haven’t heard anything about this publicly yet.  However, it doesn’t mean that they are not doing anything.  Much of their enforcement processes will be confidential between them and website owners, just because they haven’t slapped a big fine on a high profile site – does not mean that they are sitting twiddling their thumbs.  There are penalties and I am sure that they will, or are, being imposed.

So what of the supposed lack of benefits?  As mentioned in my last post – there is clear evidence that consumers are more prepared to do business with organisations they trust with respecting their privacy rights and wishes.

In highly competitive online markets, offering transparency and choice may give one business an edge over its rivals – and not doing it risks being left behind.  Clearly this is not ever going to be the only competitive differentiator, or even the most important, but it is likely to become one of the dimensions by which people judge how much they want to engage with a particular site or the business behind it.

I have to agree however that the ICO’s complaints tool is hardly user friendly and requires knowledge that most people don’t have.  It is a shame really as there ought to be an easy way simply to express concern that one’s rights are not being respected. 

We are therefore looking to set up a forum where people can express their concerns, and we encourage everyone to contribute to this, anonymously if they wish: https://groups.google.com/forum/?hl=en&fromgroups#!forum/online-privacy-forum

On the enforceability of the law – it most emphatically can be done.  It is the easiest thing in the world to check whether cookies are being set by a site – and then whether that site has either disclosed information about them or given the visitor an opportunity to consent.  It could even be done programmatically – in the Netherlands it looks as if they are planning to go down that route.

As a company helping businesses with their compliance, we are still getting new enquiries and providing our services to new clients.  We are also increasingly providing follow-up services to people who were early adopters.  Of course the rush we saw in April and May has settled down, but the cookie law has far from gone away.

In fact, now is when the really interesting work can begin.  We are busy listening to our clients, looking at examples of best practice, and starting to build second generation services to meet the needs of both businesses and their site visitors – to provide enhanced online privacy, compliance, and better website experiences.