Cookies - what is the current situation?

Written by Finn Taylor on 13th June 2012

(Last updated 21st March 2022)

Cookies - what is the current situation?

Now the dust has settled and the 26th May deadline for implementing the ICO'S cookie legislation has passed, we can take stock of where things stand.

A quick recap before we dive in

A topic such as cookie legislation would traditionally have been considered to be a geeky web design issue, however in recent months this has become a prominent topic, making it onto the front page of the likes of the Guardian, Telegraph, BBC and other consumer orientated news channels.

The reason for the main stream press coverage is because this has been recognised as being about far more than web design - this about our online privacy.

Whilst privacy issues are usually debated between government committees and campaign groups, this cookie debate has been pushed into the public sphere because of European directives forcing the issue, The Information Commissioner’s Office taking a firm stand and setting some lines in the sand, and ultimately the importance of this issue to all online users.

Back in 2011 the ICO unveiled a new policy regarding websites Cookie policies - This directive essentially stated that any website needed to gain users consent to write a cookie onto you machine.

Without getting all geeky, a cookie is essentially a little file which the website records onto your machine, so that is can store and retrieve information about your activities and ultimately track you though the website

  • Some cookies are essential to help a website provide features and functions, such as shopping carts, user preferences, logged in status etc
  • However cookies can be used in a far more dubious manner, not only identifying you as a unique user on each visit to the website, but more worryingly tracking you across multiple websites

The abuse of cookies has been led by large advertising networks placing adverts across multiple websites, whilst also writing their own tracking cookies to your computer so they can track you across any website you visit that they have an advertising relationship with.

In practice this means that you can be looking for something of interest, for example as you might search for health tips and advice. Following this, you may then discover that other websites will start offering advertising / product placement targeting your interest, such as Gym memberships, Health supplements etc. Following on you might then discover that you start receiving e-mails from other companies offering you products and services (as you may have provided your details to one of the companies within the network.)

Some people might argue that this kind of tracking / advertising is of value since its targeting you with advertising specific to your interests, however others would argue that this is a step too far. Ultimately legislators have decided that we need protection form the unscrupulous marketeer.

Whilst the principal behind this policy was a fine and honourable one, the actual policy was almost immediately ridiculed by web design agencies (such as us), who claimed it was unworkable and just another example of government not understanding technology.

Our reason for this pushback, was that the legislation did not provide any guidelines regarding implementation, and left a large question regarding practical implementation - in essence they were suggesting that every website needed a popup box demanding that you agree to a cookie to visit, otherwise it might not work correctly…the general consensus was that this would simply result in:

  • an awful user experience as the user would be stopped from accessing the website and 
  • users simple clicking I agree without really understanding what they were agreeing to

We all presume that the ICO's cookie legislation would be reworked/clarified, however this did not happen, and as it became clear that most government website would fail to implement it in time, the ICO was forced to shift the implementation dates. 

Finally the day before the implementation date, the regulation was watered down with the following clause "Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies."

Many have felt that the ICO have really mismanaged the entire process - the fact that most government websites have not achieved compliance, and that KPMG estimate based on their own audit that 80% of UK websites have not achieved compliance either, only goes to show that this issue if far from resolved.

So where do we stand today?

Our best understanding of the current situation regarding Cookie policy is as follows:

As off the 26th May 2012 your website must be compliant with the ICO's cookie legislation. 

As a site owner this means:

a) You will need to provide a full description of all cookies set by your website, specifying the purpose/function of each cookie in simple language which will be understandable by users - this policy should be easy to find.

b) You will however need to prominently alert the user and ask for consent if you are setting a cookies (although you can ignore their consent as this is now implied)

c) There is however an exemption regarding the need to alert the user that you are setting cookies, if these are essential to enable the website to function

Examples of this are:

  • to enabling a shopping cart to function by tracking a users actions within the website
  • to track a users status within the site (logged into secure areas etc)
  • improving the provision of content delivery within the CMS platform

As a site owner, this means that strictly speaking if you are not doing anything untoward regarding tracking users around the website using cookies - i.e.  your content management system or commerce platform is simply setting cookies to help the website function correctly, then you only need to update your cookie policy.

There is however one caveat - the common use of Google Analytics which sets its own cookies - strictly speaking this is not essential for the functioning of the website and therefore if you use Google Analytics then you need to tell the user with an overlay box very much like the one use on the Guardian website.

The ICO has however specifically stated that ‘provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action'. This clearly indicates that the ICO understands the importance of GA in relation to the practicalities of running a website and its necessity in continually improving it for users. Technically speaking this statement does not create an exemption in itself and while the ICO are highly unlikely to bring its guns to bear on those sites using GA - non-compliance is still non-compliance. 

Another point to note is that whilst fines are liable for non-compliance, the ICO has stated that they will not be actively chasing all but the largest website owners - see article by The Register.

So in simple terms - 

  • If your website sets a few cookies which are required by the CMS or commerce platform to operate, then you simply need to update your privacy/cookies policy to provide clear and simple information about these.
  • If  you are however setting cookies for other purposes such as advertising, non essential personalisation then you need to ask their consent, by opening up a pop-up or overlay which asks for this...they may not have to agree to it due to the new 'implied consent' clause, but they must be informed of it.
  • If you are using general analytical user tracking (for instance Google Analytics) you should also have a consent checking solution in place - but the urgency to implement this is much less important.

Some good examples of this implementation are

As an agency we have advised all our clients to update their cookie policies and are in the process of rolling out the disclaimer overlays where clients feel this is necessary.

So where do we stand - has this new legislation solved the original problem

Whilst the original idea of protecting users from tracking was in principal a good move, we really feel the ICO have completely mismanaged this process, showing both incompetence, their lack of technical knowledge and a true lack of leadership and stewardship.

  • The original legislation lacked clarity or thought regarding real world implementation
  • Clarification of the issues was not forth coming 
  • The implementation dates and goal posts moved due to this mismanagment
  • At the 11th hour a significant change, 'the implied consent clause' dramatically watered down the essence of this legislation

The result of this mismanagement is that:

  • Most of the UK's website remain non-compliant including the majority of government websites
  • New ambulance chasing companies are running around trying to scare companies into buying a service with the threat of large fines
  • Websites which have achieved compliance will simply ask you to check a box to close a window without the user even knowing what the cookies do.
  • The largest offenders - the advertising networks are not being targeted or held accountable as the responsibility is placed on all the individual site owners.
  • Ultimately industry is moving their tracking up-stream to an ISP level, which side steps the cookie issue, allowing advertising networks to continue tracking you.

If the ICO was serious about implementing a workable set of policies, they would ensure that had a technically competent team of industry consultants, capable of defining a simple set of well through out rules to work to.

So whats the solution?

We think the legislation needs reworking - some simple point bellow would solidify an good principal:

1) Whether the tracking is cookie bases, server side or ISP based the following principals should apply (otherwise it will just be a game of cat and mouse)

2) If a website needs to track your movements for site specific activities - shopping carts, personalisation or analytics - this is OK

3) An information about you as a user should however be anominised unless it is required for the specific functioning of the website

4) However if tracking from one website to another then

  • the website should require your consent each time one site attempts to gather information about your activities on another website
  • the consent should include a simple explanation of the purpose of the tracking (a link to a privacy policy page is not acceptable)
  • Networks which operate across multiple websites will be deemed to be separate websites
  • An exemption should exist for practical reasons where websites operate as a family of websites (same brand, just different URLs for different sections)
  • Fines are not only applied to the owner of the website where the cookies originated, and also to the companies running networks across multiple websites - the advertising agencies.

This is sure to be a cat and mouse game with advertisers/marketeers trying to find loop holes and work-arounds, so we need a well thought out set of rules and regulations which are not tied to whether tracking is cookies based, but more importantly is based on whether someone is allowed to track you or not, and if so how they gain your consent.

It would be good to hear other peoples thoughts about how to improve the legislation...

by Finn Taylor