Government fails to protect UK businesses over cookie law

Today the Information Commissioner’s Office (ICO) finally released the much awaited guidelines on UK cookie law. The result? That all UK websites have just over two weeks to comply with the new law which states that you can “not store or gain access to information stored, in the terminal equipment ” unless the user has “given his or her consent”. OK so nothing majorly new there but what I am slightly aghast at is the ICO’s first piece of advice for website owners on how to deal with this:

“Pop ups and similar techniques”

So with just over two weeks to go before anyone using web analytics begins to break the law, and the best advice from the ICO is to resurrect one of the most hated spectres of internet history; the pop up.

The IAB reported that online ad-spend hit over £4 Billion in the UK in 2010, up 23% on 2009 despite the grip of recession still taking hold of the country. This trend-bucking growth is largely down to the growth of the digital marketing industry and it’s ability to innovate through technology. Cookie technology drives most web analytics platforms, which in turn can help provide better user experience, more relevant web content and overall browsing.

We are now expected to believe that the best way to protect consumer privacy is to drag the industry backwards 10 years by launching a pop up every time a cookie is dropped on a browser? For an idea of how annoying this could look check out Dave Naylor’s blog here. I personally browse the web using 4 devices across 4 different browsers – this means, even for my favourite websites I will have to submit ‘consent’ many many times before the pop-ups go away.


Further to recommending pop-ups the guidelines are fail to explicitly define what ‘consent’ is. One section of the document explains that there is ‘narrow’ exception for data that is ‘strictly necessary’ such as:

“when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page.”

From this you could argue that it is strictly necessary for a cookie to be dropped when a user first arrives – otherwise how do you let the browser know in future visits that consent has been given? Google Analytics uses 5 different types of cookies; none of which collect PII data – do I need consent for every single one? Are bowser settings enough? (Maybe). The guidelines are so open to interpretation that there will be many such questions, with only two weeks to answer and comply. I can hear the creaking development queues of IT teams around the country groaning now…

Personally I feel the government has failed in it’s duty to protect one of the key growth industries left in the UK. An inability  to see the difference between 3rd party cookies for behavioural display, and first party anonymous analytics cookies will leave 1000s of companies unsure as to whether they are breaking the law or not. I just hope that Mike Butcher is wrong and we are not handing business over to our state-side counterparts; based on these guidelines I can’t really tell.

2 comments en "Government fails to protect UK businesses over cookie law"

Leave a comment

E-mail (not displayed)
Web page