That’s the way the cookie rules crumble

New EU rules relating to the use of cookies on websites came into effect in May 2011, but the UK Information Commissioner gave everyone a year to work towards compliance. In practice, of course, that meant everyone ignored it for 51 weeks, then panicked.

Along with much of the European web industry, I spent last week fielding calls from clients, asking whether their site was compliant with the rules – or perhaps more accurately, whether they were facing a £500,000 fine, like they’d heard on the news.

As ever with these things, it boiled down to choosing a role model, and copying what they were doing. The Government Digital Service and DCMS (as lead department) were both taking an ‘implied consent’ approach, with pages listing and justifying the use of each individual cookie; and the BBC, initially, were doing likewise. That was good enough for most people.

(Late in the week, the BBC actually changed tack, and introduced a new ‘explicit consent’ approach. Thankfully, most of my contacts had bought into ‘implicit consent’ by then.)

And then, outrageously late in the day – a scorching hot leave-work-early Friday at that, the ICO cracked.

Posting on their corporate blog, Dave Evans announced that their guidance had been updated to ‘clarify’ that implicit consent was a valid form of consent, as long as you were ‘satisfied that users understand that their actions will result in cookies being set.’ In other words, implicit consent with appropriate information was absolutely fine.

It was the only sensible outcome. Constant popups or warning banners would have killed the concept of cookies, which are used – in the vast majority of cases – to make things easier for users. It would have undermined most websites’ traffic analysis. And besides, with third-party services from sharing to embedding now common on every web page, I’m not convinced any technology could have successfully blocked every attempt to drop cookies anyway.

It hasn’t been an unhelpful exercise. I broadly agree with the principle of cutting down on ‘unnecessary’ cookies, and in this past week, as a result of the fuss, we’ve made changes in how we do certain things. (Blog post to follow.) If it has made online giants like Google, Twitter and Facebook think again, and be more transparent about their use of cookies (and other tracking technologies), then that too is a good thing.

Common sense would seem to have prevailed. Hurrah. But I’m sure a lot of people are less than happy at the ICO’s handling of this.