opinion

How a Cookie Law Crumbled

According to UKCookieLaw.org, the EU Cookie Law became effective in May of 2011, at which time the U.K.’s businesses were given a 12-month compliance window to come into line with this controversial law, created in response to amendments of the EU’s Privacy and Electronic Communications Directive.

“With a goal of ensuring websites are not tracking you, reporting on you and using your information and data without your permission that law is based on sound principal,” states a UKCookieLaw.org representative. “There has been much interpretation of how to implement the law and that debate continues.”

All that energy was directed at interpreting a confusing and counter-productive law instead of actually making changes that could help people’s privacy.

“The law does not tell you or dictate to you how to comply with it,” the rep explains. “The Information Commissioner monitors and enforces the law and is the body that can issue fines against website owners and ultimately take criminal proceedings. At the time of writing the likelihood of fine or criminal prosecution is low.”

The U.K.’s Information Commissioner’s Office (ICO), responsible for establishing the guidelines forcookie law compliance, sent a signal to website owners that the burden of the new law may indeed be for naught, when it not only revised the law days before its enactment, but also changed the way its own website handles cookies and compliance — by moving from an explicit to an implied consent model, not unlike the common practice in use since 2009, “except in a bigger font,” as one observer noted.

“This law has been much derided and ultimately proven to be unworkable by the people charged with enforcing it,” Oliver Emberton wrote for SilkTide.com. “The ICO is simply doing the inevitable: ignoring the law as much as they can, until it goes away.”

Emberton is not alone in his disdain for the legislation, which stems as much from its hamhanded approach as from its goals.

“It is almost as ludicrous as German sites with the ‘Imprint’ message,” Richard Robertson commented. “Even though there are clearly better translations of the German word (‘Legal’ or ‘Legal Statement’ are better choices) they still keep using a word that has an entirely different meaning than the one they intend.”

Perceptions of its uselessness aside, the cookie law remains very much in effect — with its last minute changes making it even easier for website owners to comply with.

For example, explicit permission from visitors before using cookies was modified to implicit acceptance. This is great news for publishers, as a 90 percent drop-off in visitors was reported by sites requiring explicit consent — such as the clicking of a checkbox that indicates the informed acceptance of cookies.

Obtaining implicit consent, on the other hand, may be as simple as displaying text or a banner linking to further information while informing the user that the site uses cookies, and that his or her continued visitation gives the practice the green light.

It sounds easy enough, but it seems a bit too much to handle for some companies.

A report by online privacy firm TRUSTe revealing the results of its analysis of more than 200 of the most popular U.K.-based websites, finds that while around half of these websites offer some form of privacy notice and cookie controls, around 37 percent seem to have taken no action towards complying with the law.

Of those sites found to be using third-party cookies, half had less than 25 cookies and 35 percent used 26-50 cookies, while 16 percent used more than 50 third-party cookies. Although 56 percent of studied sites used moderate to high levels of third-party trackers, only 17 percent of them have substantial cookie controls and prominent privacy notices, underscoring the scope of non-compliance — intentional or otherwise.

According to TRUSTe, creative, user-friendly approaches towards compliance are best when they are simple for users; provide easy cookie control settings; and individual descriptions of the cookie’s purpose. For example, displaying clear privacy notices that link to a page explaining what each cookie does while providing easily accessible cookie preference controls, in an audience friendly manner, is heading down the right track.

“Based on our analysis,” TRUSTe CEO Chris Babel stated, “it is clear that many companies have started to take the EU cookie directive seriously and devoted time and resources to implement a compliance solution that helps their users control the tracking activity on their site.”

Complaints to the ICO of sites using cookies without users’ permission are reportedly a fraction of those received in regards to other offenses. While fines of up to £500,000 ($774,150) may be imposed by ICO for non-compliance, enforcement letters are likely for websites making a good faith effort towards complying with the law.

That good faith effort can get a substantial jump start by following the ICO’s advice (www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx), along with its example; especially in how it informed visitors about changes (www.ico.gov.uk/news/current_topics/changes-to-cookies-onour-website.aspx), such as the following excerpt:

“The cookies we use are explained in detail on our cookies page. Cookies are used mainly to give us information that helps us make the website better,” states the ICO site. “By finding out how people use the website, we can make improvements that will help more people get the important information they need to either exercise their information rights or meet their obligations. The information collected via the cookies does not identify anyone.”

The ICO site now features a banner explaining that the website uses cookies and tells users that they can either change their cookie settings on the site’s new cookies page, or continue on to the site. By separating the cookie page from (but linking to and from) its Privacy Policy notice, the prominence of the information is increased, while providing website users with clear, detailed information about the site’s cookies and how to manage them using buttons that allow users to allow or deny non-essential cookies. Limits on the geographical information collected by the site’s analytics cookies were also imposed.

The ICO rationalizes the changes in its compliance strategy by stating that it made the changes “so that we can get reliable information to make our website better,” a statement that left many website owners asking, “What about [ICO’s own] rules on cookies?”

The organization maintains that it is indeed compliant with the latest rules and its own guidance in this area, pursuing the new policy due to better educated Internet users.

“We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for,” states the ICO website. “We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners.”

“Since then, many more people are aware of cookies — both because of what we’ve been doing, and other websites taking their own steps to comply,” ICO added. “We now consider [that] it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”

It sounds like a case of “if you can’t beat them, join them” — and a smart idea at that.

Website owners, designers, developers and other stakeholders have faced frustrations over the cookie law and how it can best be complied with, while not placing a roadblock between website visitors and website content. It is not only the traffic loss resulting from cookie warnings and the unnecessary legal and implementation expenses occurred due to compliance attempts targeting a constantly changing regimen; it is the effort’s futility and mixed characterizations that adds insult to injury.

“The saddest irony of this saga is that the poor deployment and constant goalpost-switching around the mechanisms of the cookie law have meant that we have had no time to hold a meaningful discussion about online privacy and consumer protection,” stated Heather Burns of Glasgow-based Idea15 Web Design. “The original purpose completely disappeared in the implementation.”

It is a sentiment echoed by Emberton and others.

“All the complex solutions, which actually blocked certain cookies and so forth, were a waste. The panic, meetings and audits were certainly a waste,” Emberton exclaimed, noting that “the people who simply put a cookie page up apparently did the right thing.”

“All that energy was directed at interpreting a confusing and counter-productive law instead of actually making changes that could help people’s privacy,” Emberton added. “As most people don’t know what cookies are, banners saying, ‘we use cookies’ are pointless.”

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More