Thursday 31 January 2013

Cookies: Was the ICO’s original approach too extreme?

An interesting announcement has recently appeared on the ICO’s website. Now, visitors will have to explicitly consent to a narrower range of cookies before they are set. This means that a wider range of cookies will be set automatically, which the user will obviously be able to delete, should they wish.

This is great news – not only for the ICO, who will be able to harvest very useful information about how users navigate the website, but also for those who argue that implied consent can, in certain cases, be just as valid as obtaining explicit consent, to process data lawfully.

The ICO’s public explanation for the change is interesting: We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for. We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners. Since then, many more people are aware of cookies – both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”

However, there was no mention of the difficulties that were caused to ICO staff, who found that hardly anyone had explicitly consented to the placement of cookies that fell outside the 'strictly necessary' category on their devices, so the ICO didn’t know whether much of the content that had been published on its own website was actually being read by many people.  Perhaps the original approach really was detrimental to the legitimate interests of webmasters.

Nor was there mention of any evidence of whether many people had actually realised, from the plethora of cookie warnings that have been plastered on websites everywhere since May 2011, what cookies actually were.  I suspect that the great British public has generally ignored this historic opportunity to learn more about cookies – and that they will be quite grateful not to have to click away at a snowstorm of warning notices before they get to the stuff they really wanted to access. If anyone has any evidence about how these notices have changed behaviours, I’m sure we would all really like to see it.

Sanity rules. And three cheers for that.

What we now need is, say, for good incident to arise which night cause a spat between different regulators. Perhaps a Dutch citizen, resident in Holland, could complain to the Dutch Data Protection Regulator that they had logged onto the ICO’s website and found that some types of cookies had been installed on their devices – cookies which, if they had been loaded by a Dutch data controller in Holland, should only have happened after explicit consent had been supplied.  That will keep the Sado Dataprotectionists going for a few more months.