UK / European law on website cookies and tracking

Updated at 17:35 BST to mention third-party cookies.  Updates are in italics.

The UK is planning to implement various European privacy rules and one of the difficult topics has been the use of data gathered by websites.  Superficially this would seem to be targeted primarily at advertisers and other large companies but in practice could catch almost every website that is not completely static.  One aspect is that the UK rules will require explicit approval for most cookies to be stored on users computers.

The BBC has reported this here and The Register has a story here.  Both organisations have been running various stories over the past few months on this topic.  Part of the problem has been lack of clarity as to what is required, and the problems of technically implementing solutions that satisfy the rules.

Much of what has been written on this topic concentrates on third-party cookies, and I am sure that the original EU Directive may have been intended to target tracking by third-party cookies, that are typically used for advertising.  However, the Information Commissioner’s Office guidance is framed to cover just about every use of cookies other than those deemed “strictly necessary”.  Clearly anyone using advertising on a site that is provided by a third party is going to need to do something.  Some of the advertising organisations are claiming that by putting a clickable badge on the advertising that this satisfies the regulations, although that is not at all obvious to me.

The Information Commissioner’s Office (ICO) guidance says

… you will need a user’s consent if you want to store a cookie on their device. The ICO recognises that cookies perform a number of legitimate functions. We also recognise that gaining consent will, in many cases, be a challenge.

There is an exception, but it is very narrow:

The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

 

After a little more detail it makes explicit that merely remembering preferences is not an exception:

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

The full text from the ICO is here.

A lot of smaller organisations will, I think, find complying with the rules rather onerous.  Cookies are often used within packages that webmasters install, but those packages often don’t explain how cookies are used and probably don’t include pages to get the visitor’s consent to the cookies.  Indeed one could argue that getting this consent is itself almost a privacy issue.  Anyone using advertising is clearly likely to be caught with these rules although it is unclear to me whether the responsibility is for the website owner or the third party advertiser.

I did a quick check of the WordPress documentation and there is a page about cookies here, although the page does indicate that it is “in progress”.  As far as I can see, cookies are used by WordPress for Users and for Commenters.  I think therefore it would be necessary to get approval from users when they register.  For Commenters, the WordPress documentation notes that it is “purely a convenience” and therefore in my understanding is definitely not an exception under the ICO’s guidance, and again the code would need modification to explicitly seek approval.

If this is all implemented there will have to be changes to a lot of the standard packages used by hosting sites.  Most photo gallery software will use cookies to store viewing preferences (e.g. number of thumbnails in a row, background colour, etc) and these cookies will need approval.  I can see pop-ups appearing all over the places; and we probably all block those!

Interestingly, the ICO site itself uses Google Analytics and places cookies on visitor’s devices, so I think they need to update their site.  I wonder what they will do?  I’m sure many government sites use cookies.

Leave a Reply