Saturday 2 July 2011

Waiting for a new definition of “necessary” cookies from the ICO?

If it’s really true that 90% of visitors have refused the Information Commissioner's Office permission to understand more about the visitors to its website, I wonder if this heralds some new thinking about what cookies are actually “strictly necessary” for a website to be able to function properly.

And when we think of it, surely the ICO’s website must be one of the more trusted websites out there in cyberspace. It can’t just be the privacy anoraks who visit it. Surely real members of the public seek out its advice too. But if 90% of visitors don’t trust the ICO to safeguard their privacy by only putting “safe” cookies on a visitor’s device, then what on earth is going to happen when other webmasters, (say those operating the other 100 million or so EU websites) get around to giving visitors cookie choices.

When I blogged about this subject on 22 May, I quoted the ICO’s first attempt at guidance, which was before it had any evidence about the likelihood that users would object to analytics cookies: The use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

Perhaps the new thinking will develop from an argument which runs along the line that, for webmasters to be able to publish information on websites, they need to acquire the resources that are necessary to keep the site properly maintained. They surely have a right to have information about the location of the devices used by visitors, and track where visitors go on their site, to make the experience more enjoyable for visitors, and more beneficial for the webmaster. Surely every webmaster wants to design his site so that it easy to navigate, and he has a legitimate right to know how popular the various parts of his site are.

Developing this argument slightly further, webmasters may also appreciate that public access to a website costs money. Some of this money can be recovered by people who use some of the real estate on the website to offer advertising to visitors. But those who offer the advertising space may well seek information about visitors in order that they can serve the most effective adverts. If the advertisers are denied access to the services offered by Google analytics, it could be uneconomic to continue to operate the website. And if that is the case, surly such cookies would be “strictly necessary” for the provision of that service.

The UK chapter of the International Chamber of Commerce has already created a working group to look at the UK cookie consent requirements, and will hopefully sort cookies into categories that are going to be easy for webmasters to manage, and still fair for users who choose to visit the relevant websites.

Thank goodness we have a few months to figure this stuff out. We may need every one of the 12 months that the Commissioner has kindly given us.

European commissioner Neelie Kroes has also warned European webmasters that they need to agree on a do-not-track standard by mid-2012.

But I won’t be betting much on the prospects of getting general agreement on the meaning (and the implementation) of such an imprecise standard throughout Europe within a year.