After a one-year grace period the Information Commissioner's Office (ICO) has started enforcing the 'cookie law'. In practice nothing much will change; the rules have already been relaxed.

The European Directive 2002/58/EC never did much to prevent the use of cookies for tracking, and it's unlikely the revised cookie law will limit marketeers' ability to follow people on the world wide web. Under the new rules, which have been implemented by updating the Electronic Privacy and Communications Regulations, websites may only use cookies if you give your consent. However, on the eve of the cookie law coming into force the ICO confirmed “implied consent” is sufficient.

Before the revision of the 'cookie law' websites could only use cookies if two conditions were met: websites needed to provided “clear and comprehensive information” about how cookies were used; and they needed to give people the option to refuse cookies. From the start the Regulations were ignored, and instead of giving people more control over how websites use cookies the market for 'behavioural advertising' exploded. Ever more websites allow anonymous third parties to track people online, and in the process many privacy policies and terms and conditions are being rewritten in legalese.

The revised Regulations are primarily an attempt to curtail online tracking. The cookie law recognises that some cookies are necessary for the functioning of websites; such cookies are now allowed. At the same time the rules for cookies that aren't “strictly necessary” have been tightened. The cookie law states that websites may only use such cookies if you give your consent. In other words, the opt out has become an opt in.

Implied consent

When the new Regulations became law the Information Commissioner's Office gave organisations a year to adopt the new policy. Tellingly, during this 'grace period' the ICO has relaxed its interpretation of the rules. Initially, the ICO suggested websites would need to gain people's consent for the use of cookies by asking visitors to tick an opt-in box; the ICO's own website introduced such a box when it first published its guidance on the cookie law. However, the ICO has now stated that 'implied consent' is good enough. To comply with the Regulations websites only have to have a cookies policy and make visitors aware consent will be assumed if someone continues to browse the website.

In a further sign that the cookies law is unlikely to restrict the use of cookies for online tracking and advertising the ICO has emphasised it's unlikely there will be fines for organisations failing to comply with the Regulations. In a YouTube video David Evans of the ICO explains that “monetary penalties can only be issued […] in cases where there's been a serious breach that's likely to cause substantial damage to people, and where there is […] a wilful element towards non-compliance. It's difficult to imagine that non-compliance with the cookies rule is ever going to trigger a situation in which we would be able to issue a monetary penalty.” Rather than issuing fines the ICO hopes “compliance can be achieved by negotiation, by us giving advice and telling organisations what we feel they need to do.”

All or nothing

Relaxing the rules hasn't made website publishers any more supportive of the Regulations. Only on the day the ICO started enforcing the cookie law did cookie statements start to appear on websites. A quick look at some of the most visited websites in the UK learns they have all adopted the 'implied consent' principle. The website of the Guardian, for instance, simply states that people who continue to browse its web pages are automatically agreeing to cookies being used. Ironically, to prevent the cookies statement appears after implied consent has been assumed the websites stores this information in a cookie.

It's unlikely, then, that the revised cookies law will give people more control over how cookies are used on websites. Arguably, new rules have made things worse. Rather than allowing people to opt out of being tracked they're now presented with an all or nothing option: either you accept a privacy policy in full or you should leave and never come back. To prevent being tracked people continue to rely on browser extensions such as Ghostery or (for Firefox users) NoScript.

Links

• Data protection in the electronic communications sector (europa.eu)
• Updated advice and guidance on changes to the EU cookie law (ico.gov.uk)
• Behavioral targeting (wikipedia.org)
• Ghostery (ghostery.com)
• NoScript (noscript.net)