Ignoring Do Not Track Risks Cookie Law Compliance

The UK’s most used cookie law compliance model is not compliant if Do Not Track requests are ignored by websites setting tracking cookies, according to the UK Information Commissioners Office (ICO) case work team.

In a response to a question posed about a common website set up, we have been told: “a website must act on the DNT request in order to comply”.

More details of the exchange are below, but in short this means that most websites in the UK are running a significant compliance risk, even if the regulator’s current priorities make the chances of enforcement action pretty slim at the moment.

One of the reasons that cookie notices are disliked by visitors is that most of them simply say that cookies are in use and continuing on the site is deemed to be consent for this.

The reason this can be interpreted as valid under the law, is that it contains a clause stating that consent can be signified through browser settings. 

 “For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”

Therefore if the site says ‘ you can change your browser to block cookies’ it essentially puts the responsibility back on the user, without having to make any changes to the site itself – which for the owner avoids costs.  Users can directly block cookies, so it they don’t, then this logic states that consent can be implied by the non-action.

This is a pretty loose interpretation of the law at the best of times, but is one widely used by websites to claim they are compliant, without offering any real user choice.  Most users don’t take change cookie settings because doing so gives you a terrible user experience on most websites – and often results in a lot of lost functionality.