What Britons need to know about U.K. 'cookie law'
Let's be honest, the U.K. has made a right hash-up of implementing the cookie law from start to finish. It came into force Saturday. Here's everything you need to know.
If you've seen a "cookie settings" warning like this recently, you're not the only one.
You had until today to comply with the new European cookie law.
You won't be the only one, though. It is thought the majority of U.K. Web sites are breaking the law that dictates how users' are tracked and logged, despite having more than a year to prepare for the changes.
Here's what you need to know.
What's the lowdown: E.U. cookie law or U.K. cookie law?
The E.U.'s "e-Privacy" Directive, which first came into force in 2002, was amended in 2009. Each of the E.U.'s 27 member states were told to bring the directive into their own member state's law by this time last year, including the United Kingdom.
The U.K.'s amended Privacy and Electronic Communication Regulations (PECR) Act 2011 was brought into force on May 26, 2011. The law stated, among other things, that companies operating in the E.U. and the U.K. must obtain the consent from its Web site users.
Cookies allow Web sites to offer a more personalized experience, such as remembering a user's preferences. Cookies can also be used for tracking user behavior, and also by Web site owners to track how often their pages are being visited and other interesting non-personal user information.
Some major Web sites, such as the BBC, have implemented new systems to inform users and allow them to opt-out. However, most U.K. government Web sites aren't ready and already fall foul of the law.
The directive dictates that users should be aware of which kind of cookie is being set, varying from "essential" cookies, such as those used to remember which goods are in your e-shopping cart, to "non-essential" cookies that can be used to track user behavior.
But cookies are only a small part of online tracking, right?
Correct. The E.U. Directive contains only a portion relating to cookies, but also targets "non-essential tracking," regardless of whether a cookie is involved or not.
Arguably it has distracted many from the wider implications of the directive. Web site and Web application operators need to determine whether third-party trackers -- such as advertisers and analytics -- are used on their sites.
As much as 40 percent of tracking activity is often not related to cookies, so a "cookie audit" should look outside other tracking technologies.
Why is the U.K. 12 months behind everyone else?
Only three countries actually met the deadline. Denmark and Estonia met the deadline, and the U.K. came close but probably got no more than a D+ for effort.
The U.K.'s data protection agency, the Information Commissioner's Office (ICO), gave U.K. companies a 12-month reprieve because many were not ready by the half way point in the ICO's grace period.
The 12-month reprieve was given because many had to rip open the innards of their corporate Web sites and Web applications to work out where cookies were implemented and when they were set.
Define "consent," exactly.
But there's a problem. Only a few days before the May 26 deadline, the ICO updated its guidance to state that "implied consent" will suffice, seemingly going against the original European Directive. The ICO said that the continued use of a Web site or Web application would imply the user is consenting to the changes -- shifting the responsibility of consent to the user rather than the Web site owner.
On a practical level, as an ordinary Web user, what are my likely options in accepting or declining cookies?
BT, which has more than 8 million U.K. broadband customers, may have one of the best cookie settings examples available.
In this example, it allows the user to pick between strictly necessary cookies that allow the site to simply work, functional cookies that restrict social sharing and behavioral tracking code, and targeting, which allows full user tracking and the fullest possible experience.
Unfortunately, because all Web sites and Web applications are set out differently and vary in size and structure, there is no one-size-fits-all solution to every site.
Some Web sites will offer "implied consent" that gives no option except the choice to leave the site, while others will simply allow users to check a box and allow all non-essential cookies in.
I'm a U.S.-based company with a U.K. and E.U. presence. Am I affected?
U.S.-based companies with a presence in the European Union, no matter how small, are still liable to E.U. laws, regardless of whether your Web site or Web application is hosted in the E.U. or elsewhere. Mobile application developers are also subject to the E.U. laws (see below).
In this scenario, while your U.S. Web site and all other non-E.U. Web sites are not liable to this law, your dedicated pages for the U.K., Italy, France, Germany, and so on, are all affected. It's just the U.K. has taken a little longer to get the wheels in motion.
What are the penalties for failing to comply?
At the moment: there aren't any.
The ICO can normally issue massive fines if a company, organization, or governmental body is in breach of the U.K.'s data protection or privacy laws. For the cookie law, the ICO said it has the power to fine up to 500,000 pounds ($780,000), but said it wasn't going to suddenly "launch a torrent of enforcement action."
The regulator will instead keep its eyes peeled and continue to push for sites to become compliant -- despite having a year to stand on the right side of the law. As long as companies are willing to make the changes and can prove they are making steps to become compliant, it's likely the ICO will carry on with its softly-softly approach.
But I heard most U.K. government Web sites will miss the deadline?
How very ironic. Indeed, ZDNet UK reported that most U.K. government Web sites will not be compliant by May 26.
The Cabinet Office said it was "working to achieve compliance at the earliest possible date," which is government speak for, "by the time the next election comes." Again, the ICO is fully aware that compliance is not an overnight job, and some can work all year with no avail.
A ICO official said earlier this month that the U.K. data protection and privacy regulator may give organizations "years" to comply with the law.
"Some of the timescales don't match the May 2011 to May 2012 deadline. We recognize that some of the people we speak to don't have Web development cycles that start just because the ICO has set a deadline," said David Evans, an ICO senior policy manager.
I develop Android, iOS, Windows Mobile apps. Am I affected?
Indeed, you are. All downloadable apps from applications stores -- such as Apple's App Store, Google Play or the Windows Phone Marketplace -- are subject to the new laws. The ICO said it would be examining the stores closely to ensure compliance.
This of course does not mean just cookies -- it includes any in-built tracking code that would enable access to a user's smartphone data.
"Apps are one of the items on our list," warned David Smith, deputy commissioner for the ICO. "It's quite clear that if someone is storing something on a device, or accessing information that is already stored on a device, one of the issues might be the form of consent when an app is downloaded."
I heard the E.U. just 'outlawed' Web site analytics?
Not quite, and far from.
It's true that if you use Google Analytics, or any other service that gives you basic numbers through to pretty graphs to show you how many people visit, when, and what they look at, you will be affected.
But the new law has to accommodate the fact that Web site tracking is extremely common and is all but impossible to outlaw. It's therefore down to the Web site owner or Web application developer to inform its users that it wants to track you.
The ICO said it wants to "focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals" which may or may not include cookies that count you as a visitor to its statistics. The ICO remains frustratingly vague in this area.
Two-thirds of cookies are for adverts, but ads keep the Web free?
It seems somewhat counter-intuitive for the European authorities to impose stricter rules on how online advertisements work because its those advertisements that keeps the Web vastly free.
Interestingly, the Financial Times report that more than two-thirds of cookies are for ads. As you'll imagine, this means that unless sites become complaint, the ads displayed on sites will be in breach of the law.
This very site is free. This site doesn't charge you to view its articles or leave feedback. But it does install a whole bunch of cookies on this very device that you're reading this article on. It also installs a whole boatload from third-party advertisers.
But one of the major concerns is if users fail to accept the cookies, many sites will not see you as a statistic nor will the Web site be allowed to display ads, leading to the Web site owner losing money.
What is the ICO doing to chase big companies over the cookie law?
The ICO is in the process of chasing around 50 large companies with a U.K. presence in a bid to set a good example, reports ZDNet UK.
The ICO said [PDF] it had contacted Facebook, Google, Amazon, AOL, and Apple UK -- including dozens more to "remind" about compliance with the new law. It also includes major media Web sites, such as the BBC -- which is now compliant, a BBC spokesperson said -- along with other media organizations, such as Associated Newspapers Ltd., which owns the Metro and Daily Mail Web sites.
This story was first published as "UK 'cookie law' takes effect: What you need to know" on ZDNet's London Calling blog.