The Year the Cookie Crumbled?
2011 was predicted to be the year the cookie crumbled. We are not, of course, talking about substandard biscuits, incapable of surviving a two second dunk in a cup of tea, but the electronic kind and their technological equivalents that allow access to, or storage of, information on a user’s computing device. It is these cookies that are relied upon by websites to manage and monetise their online content and services.
In the data protection world consent is considered to be a freely given, specific and informed act by which a person signifies their agreement to the processing of data relating to them. This interpretation does not, however, fit neatly with the way the internet and cookie technology has evolved over the past 15 years, where cookies are often served before the first page request is even loaded. In addition, while browsers have historically had acceptance of cookies as a default setting, the Government does not currently view browser settings as an effective way to show consent, given their current lack of sophistication and because most users do not understand how to change them.
The implications of this change in the law are, therefore, of real significance to online businesses and in recognition of this fact the UK regulator, the Information Commissioner, allowed businesses a period of twelve months (until 26 May 2012) to find ways to comply with the new law during which there will be no enforcement procedures.
Where are we now?
We are now half way to this extended compliance deadline yet there are few visible signs that businesses have taken steps towards ensuring they obtain user consent to cookies. The Information Commissioner has started making noises about businesses sitting on their hands and failing to accept the inevitability of change but making statements such as "the law (for all its faults) is the law, so live with it..." are hardly helpful.
There are a number of reasons for this apparent lack of action. In particular, it is no small undertaking to identify and review the use by a businesses of the cookies it uses across its websites. Some organisations may have an online presence extending to hundreds of different websites. In practice there are many businesses busy grappling with these issues behind the scenes. This process is made more difficult due to the lack of any clear across-the-board technical solution to the problem that does not involve committing a business to significant cost or placing existing revenue models from online advertising in jeopardy (hardly an attractive proposition in the current economic climate).
Looking ahead to 2012
It would be incorrect to say that nothing is happening and we are likely to see more evidence of measures such as those described above being rolled out as we move closer to May 2012. These issues are likely come to a head in 2012 as the majority of Europe joins the UK in taking steps to implement the revised European law. Although only a handful of countries have successfully implemented the law to date, evidence from draft legislation in other jurisdictions suggests that we are likely to see differing approaches to the strength of consent being required.
2012 may prove to be the crunch year for cookies, particularly with the imminent revision of European data protection legislation which will almost certainly define "consent" for the first time in this context. Certain practical compliance problems still appear intractable and a solution may not be reached in the remaining six month 'compliance holiday' allowed by the UK’s Information Commissioner. Industry and regulators will need to tackle these significant financial and technical difficulties and cooperate to achieve some kind of workable and commercially realistic solution .
For those who have genuinely yet to do anything? Well, six months is not a long time.
"2012 will be a crunch year for the cookie as businesses roll out their compliance strategies and the regulator's enforcement amnesty expires in May 2012."
"We are now half way to this extended compliance deadline yet there are few visible signs that businesses have taken steps towards ensuring they obtain user consent to cookies."