Digesting the Crumbling Cookie Law
With the deadline date for the Information Commissioner's Office's (ICO) cookie regulations looming, it's getting increasingly difficult to decipher the confusing and contradictory statements from both the ICO, and the U.K.'s Government Data Service (GDS), so let's break it down into bite-size cookie crumbs!
First off, the ICO are clear that the user must "fully understand" how your Web site will use cookies and "knowingly indicate" their acceptance. Their consent, however, could be given by any action and can even "infer consent". BT's Web site is a fantastic example of inferred consent, if you continue on around their site; you accept their cookies, simple.
"...If you continue without changing these settings, you consent to this - but if you want, you can change your settings at any time..."
Next up; consent can be obtained from either the "subscriber or user" and the ICO "do not specify whose wishes should take precedence". BT, again, could be an excellent example. Suppose they are your broadband provider; in their terms and conditions permission could be inferred, if you've bought or use their broadband, you consent to their cookies. Similarly Google could say; if you have an account with us, you accept our analytics and ad cookies. The ICO are clear on this: "The person setting the cookie is primarily responsible. The key point is not who obtains consent but that consent is obtained".
Web sites don't need consent for every Cookie though; those that are "strictly necessary" are good-to-go without prior permission. Unfortunately for us, an "analytic cookie might not be as intrusive but you still need consent", so says the ICO.
And here comes the contradiction; the ICO state that although you should have the visitor's permission to use most cookies, "Provided clear information is given we are highly unlikely to prioritise first party cookies for analytical purposes in any consideration of regulatory action". To surmise; you shouldn't use analytics cookies without the visitors consent, but if you do, the ICO are unlikely to take any action.
The GDS's guidelines for public sector Web sites even go as far as to say "metrics are integral to provide the best possible user experience" and "collecting these metrics are essential to the operation of government websites". This same argument could be said for Amazon, as an example, analysing trends to improve their visitor's experience (to recommend products, perhaps). This really sets precedence; the ICO could find it difficult to prosecute, say, Amazon, when official government sites fall foul of the regulations.
To wrap up, we've previously posted some elegant examples of implementing cookie opt-ins, here's mine, I'd like to hear your thoughts!
This blog was written over 6 months ago and Internet Marketing and SEO is an always changing industry which means the information within this blog may be out of date. Use caution when using any methods or suggestions within it.
