Last June I blogged about the transposition into UK law of the EU’s e-Privacy Directive, and noted that although the corresponding UK law came into force in May 2011, the UK’s privacy regulator gave firms a further year to “demonstrate progress towards compliance”. That year is almost up. The ICO has now indicated that there is little risk of companies facing any enforcement action if they fail to comply with the law. To be a little more precise, the ICO’s position appears to be this:
- The EU Directive distinguished between “technical” cookies, which were loosely defined as “those essential to the operation of a website”… such as cookies which reflect the status of your shopping basket and items in it, and “tracking” cookies, which do not contribute to the operation of the site, but serve to gather data about the site’s visitors.
- “Technical” cookies are acceptable, under the EU Directive; “tracking” cookies may only be used if the user’s consent has been indicated in some way (with all the potential practical problems that might entail).
- The UK Privacy and Electronic Communications Regulation (and I can only apologise for the unfortunate US English connotations of that acronym), “does not distinguish between cookies used for analytical activities and those used for other purposes”.
- As a result, the ICO “does not consider analytical cookies fall within the ‘strictly necessary’ exception criteria” – so user consent is required.
- BUT… the ICO is less likely to take formal action – even for analytical cookies – if they are first-party cookies [see Mike O'Neill's comment below, and my reply], if they demonstrate “a low level of intrusiveness”**, or there is a low level of risk of harm to individuals.
To cut it short: it’s not hard to characterise the ICO’s position as “we’re going to qualify any possible intervention so rigorously that, in the end, we won’t actually do anything about cookie use”.
What should one conclude?
First, let’s give the ICO the benefit of the doubt and ascribe their semi-recumbent posture to pragmatism rather than spinelessness. Arguably, the EU’s Directive on cookies was a well-intentioned piece of legislation, but hopelessly impractical because it depended entirely for its effectiveness on factors outside the EU’s control (the willingness of browser manufacturers to implement meaningful controls). On that basis, the ICO can maintain that it has more important things to do than find ways of shoring up someone else’s fundamentally flawed legislative initiatives.
Second, if you are a company with a possible compliance obligation under the UK’s PECR law, it looks like you can score the risk of UK regulatory action as “low”… though if you choose to do absolutely nothing about compliance, don’t blame me if you suffer reputational damage as a result. You should also keep an eye out for anything the ICO subsequently says about third-party cookies, because so far the “wiggle room” only extends to first-party ones.
Third, where does this leave the European Commission? Well, on one hand, they are still dependent on browser maunfacturers’ progress towards a robust “Do Not Track” implementation – but it is perhaps now clear to the Commission that a unilateral attempt to impose a cookie law under those circumstances was unrealistic. On the other hand, the shaky status of the Directive should also remind the Commission how risky it is to try and legislate at the level of specific technical mechanisms, rather than defining a clear policy objective and leaving the technical details to the technicians. Viviane Reding did the Directive no favours when she explained that it was based on the distinction between “technical” cookies [nice] and “spy” cookies [nasty]. Framing the discussion in those terms makes life almost impossible for the regulators, does nothing for the privacy interests of the user, and gives malevolent online services a free run at any privacy-hostile tracking technique that is not cookie-based.
Cookie regulation may have seemed like a temptingly achievable target, but I think the Commission needs to acknowledge the following problems:
- It was a bad idea to frame privacy legislation with reference to a specific techical mechanism, rather than relevant privacy-related practices on the part of the service providers;
- It was a bad idea to leave an EU law so much at the mercy of critical success factors outside EU control, without seeking some form of consensus before drafting it;
- It was a bad idea to focus so closely on cookies that other privacy-hostile tracking techniques pass un-noticed.
Let’s be optimistic, though: if the Commission can learn from the shortcomings of this legislative initiative and maintain the political will to try again, it could do better.
**You might, of course, think that “a low level of intrusiveness” was exactly the problem that the Directive sought to address in the first place, by insisting that users be given the opportunity to express clear, informed, unambiguous, prior consent. I couldn’t possibly comment.
Category: Uncategorized Tags: