Wednesday, May 11, 2011

New EU Cookie / Privacy Law - Should you panic?

There's been a lot of fuss recently about the new "EU Cookie Law", and what effect it will have on EU- and UK-based online businesses. The EU directive has been around and discussed with varying degrees of hyperbole for a while, what's caused the recent kerfuffle has been the adoption into UK legislation pretty-much as-is.

So, should you be panicking in order to meet the implementation date of 26th May 2011?

Well... maybe, but I'm not.

Allow me to explain.

There is cause for concern - just like we saw with the RIPA act circa 2000, the legislation is clearly well-intentioned, but has just-as-clearly been implemented by people with little understanding of the problem domain. The full legislation is available from the horse's mouth here: The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, but I would recommend the implementation guidelines from the Information Commissioner's Office for a slightly lighter read.

Credit where it's due, the guidelines give a welcome degree of balance and reasonableness to the situation, but even so they manage to contradict themselves.

The important section is "What do the new rules say?", where it quotes the relevant section of the new legislation:

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the
provision


Now, correct me if I'm wrong, but that seems fairly clear - if the user sets the controls on their internet browser to accept cookies, consent may be taken to be signified, right? Riiiiight?

Well, apparently not. A little bit further down the document, it says:

I have heard that browser settings can be used to indicate
consent – can I rely on that?
(...)
At present, most browser settings are not sophisticated enough to
allow you to assume that the user has given their consent to allow
your website to set a cookie

Er...wut? Most browsers are set to accept cookies by default, but can be changed to reject them, or to reject third-party cookies, or prompt for each one. How is that not giving consent? And how does this guidance interact with paragraph 3A from the regulations themselves?

There's another implementation question as well. Let's walk through a workflow.

  1. User X arrives at a site
  2. Site wants to set a cookie so that it can identify that User X's next click comes from User X, and not any of its other users.
  3. ..So Site has to ask for consent, presumably by an irritating and obtrusive pop-up window, or some other interstitial means. Remember that cookies are sent back as part of the HTTP response, so the decision regarding whether or not to set a cookie is taken on the server, before a response is sent back to the user.
  4. If the user says "YES", all well and good - Site sets a cookie and remembers that choice.
  5. BUT... what if the user says no? How do you remember that choice, without using a cookie? You can't, right? So you're going to have to ask every request...

OK, that's admittedly a simplified scenario for the purposes of making a point. But the point is valid - it's going to be extremely tricky to think of ways of implementing this directive in any meaningful way without destroying your user experience. And what about the ubiquitous third-party cookies that form the basis of services such as Google Analytics? Again, the guidelines are specific:

An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent

And THAT, paradoxically, is why I'm not panicking. Laws that are very difficult to comply with are, in practice, difficult to enforce. This law, if it ever does get enforced, is most likely to be used as a political club to attack a high-profile mega-corporate that couldn't be brought down any other way - think MS and the eventually farcical browser-bundling lawsuit. Think Al Capone, and the fact that the only crime he ever got convicted of was tax evasion.

There have also been some surprisingly reasonable quotes from the Information Commissioner's Office and the Government :

[Information Commissioner Christopher] Graham said the ICO was clear the changes should not have a detrimental impact on consumers nor cause “an unnecessary burden on UK businesses.”

and

we do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies (Ed Vaizey, Culture Minister)

Regardless, there may well end up being a high-profile test case at some point, which will garner huge amounts of publicity and huge amounts of lawyers saying things like "this is a very interesting case" - which, to paraphrase Terry Pratchett, is lawyer-speak for "at least six months at three grand a day, plus expenses, per lawyer, with a minimum team of ten". It will eventually establish a precedent for judicial interpretation of the act, and at that point the necessary course of action will become clear.

Until then, I'm not panicking. And neither should you.