Tuesday 16 November 2010
Cracking the problem of cookies
The hot news (at least where I was) today was all about cookies. No mention of the engagement of HRH Prince William and Kate Middleton. The data protection community is obviously made of other stuff, and a select group congregated in central London this afternoon to work out what the Department for Business Innovation & Skills should get Parliament to approve as the law, and how Ofcom and the Information Commissioner’s Office should enforce it.
What’s the real problem, then?
Well, the European Commission is changing the rules about the way some cookies can be used, and how some types of information stored on a subscriber’s electronic device can be accessed. It appears that by next May, the UK will have fallen into line with the new regime.
Fallen into line may be a somewhat ambitious phrase – as, right now, no-one really knows what each Member State is going to do to achieve compliance with the rules. Not only are they extremely hard to comprehend, few Member States seem to have had the will so far to try to understand and propose how the rules should be implemented. So, three cheers for BIS and for the UK, and for providing leadership to the rest of the EU in this very important issue. Where we tiptoe, others will surely tread.
There appears to be no change to the law so long as the information in a consumer’s electronic device is only being accessed because it is strictly necessary to provide the user with an information society service which they had explicitly requested.
There will however be a change to the law if it is intended that information needs to accessed for other purposes. And in these cases, the subscriber will have to provide their freely given, specific and informed consent before the relevant information is accessed for these other purposes.
As you can imagine, everyone is having a wonderful time trying to work out what cookies provide stuff which is strictly necessary for the provision of the service, and what cookies might not be permitted until the freely given, specific and informed consent turns up. So, when I type a URL and press the "Enter" key, apparently some of what I see will arrive because it is what I wanted to see, and apparently some of what I see will arrive because I will have somehow consented to seeing it.
Does this matter?
What is going to happen?
Well, I think it’s likely that two separate things could happen.
First, the browser manufacturers (of whom you can count on the fingers of both hands) will probably be invited to meet and, in a concerted manner (but not in a manner that will incur the ire of the competition authorities) work out whether it’s possible to provide users with a more granular way of making choices about what types of cookies to accept, and from whom. The cool new descriptive term for this is the development of enhanced browser settings. It appears that the burgers at the European Union don’t like the concept of default browser settings, and instead want evidence that users have made choices about their settings. But, let’s get real here. How many people are really sufficiently interested and engaged in these matters to want to be provided with clear and comprehensive information about the consequences of the various browser setting choices that will be made available to them. I guess that far more people probably read the new terms and conditions on their iTunes account each time Apple changes them. And that’s not very many.
Second, the 4 million website owners (yes, there could be that many) will probably be expected to read the implementing guidance that will eventually appear on the BIS and ICO websites, and they will then be expected to work out for themselves whether it’s possible to provide users with a more granular way of making choices about what types of cookies to accept, and from whom. The cool new descriptive term for this activity is likely to be trying not to give the impression people are ignoring an incomprehensible law.
If I were a busy regulator, I would ask myself whether I should try and do a deal with, say, 10 browser manufacturers, or hold out and negotiate an understanding with 4 million website owners.
No contest, really.
I think I would start by approaching the browser manufacturers, and make so much noise that the website owners who use techniques other than cookies to access information for purposes other than to serve up the requested information on their website, begin to understand that they may have a bit of a problem. And I would wait and see if they came up with any cunning plans to become compliant with the law, and take no action - at least until anyone complained. If these web owners were causing harm to users and were not being transparent and were not getting their consent, then of course I would be down on them like a ton of bricks. But I suspect that, as a busy regulator, I might well have far more serious matters of poor compliance on my regulatory horizon. And I would want to focus on those matters, rather than waste scarce resources trying to improve behaviour that didn’t seem to be doing anyone any harm, anyway.
Perhaps, after all, I really am put of touch with the rest of society. What on earth am I really doing, blogging about cookies, when almost everyone else I know is celebrating the great news of the Royal engagement!