Duncan ParryBy Duncan Parry


Last year I wrote about the UK Information Commissioner Office’s efforts to enact the EU ePrivacy Directive, and the “year’s grace” granted to brands to help them comply.

May 26th, 2012 is Cookie Day – the day the grace period ends. Whilst the ICO isn’t going to start breaking down doors and issuing fines the day after the grace period ends, brands need to make sure they have taken steps to comply – and continue to do so.

This is about adjusting continual business processes; not just a one-off audit. It doesn’t need to be onerous, however – I’ll explain our suggested steps later on.

Unfortunately, there’s not exactly been a wealth of additional guidance from the ICO or the Department for Culture, Media and Sport since I wrote about this topic last May. The ICO did publish a half-time report  which suggests they see some organisations taking firm steps to comply, some 3rd party solutions being developed (but they won’t list them) and some work by browsers to help with this effort. Personally I think those efforts are more about US privacy developments.

Do Not Track: The US Solution to the Cookie Law Conundrum?

Regardless of the EU Directive, privacy campaigners (and the inevitable class action lawyers) have stimulated developments in the US, with the Obama administration backing voluntary privacy guidelines. Whilst they didn’t go as far as campaigners might have hoped, the guidelines, dubbed “The Consumer Privacy Bill of Rights” according to The Washington Post “…users should have more control over data collected about them and how the information is used; consumers should be able to limit the collection of personal information, especially about children; and users should be able to correct false information about them.”  The FTC will police these, and more detailed guidelines will be created in future.

The end result is that Google, Yahoo!, Microsoft, Mozilla and AOL have agreed to voluntarily embed “do not track” buttons in Web browsers. Exactly when these will be live, what options they will offer – and if they will only operate in the US – isn’t clear. Interestingly, Mozilla has offered this functionality for a while anyway, with 7% of desktop and 18% of mobile users apparently enabling it.

‘Do Not Track’ could offer exactly the mechanism the ICO and industry bodies suggested in the UK when they stated they were talking with browser manufacturers (I’ve yet to see any coverage of those talks yielding anything). I envisage that this “button” blocking tracking cookies (including ad networks and analytics, as well as third parties like Doubleclick) will not include cookies used for site functionality. Only time will tell the hoops webmasters will have to go through to prove cookies are used for site functionality – and they won’t be ready by May 26th.

Practical Advice: 6 Steps

So, all in all…it’s still a bit of an impenetrable area here in Blighty. I’m no lawyer, but my tips from May of last year seem to stand up quiet well. Based upon them, the “half time” report by the ICO and the IPA’s recent seminar for agencies, I suggest:

1: Audit your cookies and tags

2: Categorise your cookies and tags

3: Update Privacy Policies and Consider Site Ts and Cs (this is low hanging fruit IMO)

4: Decide how to tell consumers – and plan site changes

5: Change processes to add any future cookies to the above

6: Monitor the press and ICO website

You can read my full advice here

Point 4 for me is where most brands will be behind schedule – how many are ready to tell visitors cookies are being set, and then easily enable them to opt out of 3rd party cookies that aren’t vital for site functionality?

The ICO site provides one example of doing this on their site for all cookies:

ICO cookies example


My previous article (link above) included other suggestions and screenshots, and there are 3rd party solutions popping up, like ‘The Cookie Collective’. Of course visitors to their site are also presented with an option:

 cookie collective


Follow the above steps and keep an eye on future announcements by the ICO; they have stated they will ramp up their activity around this topic as May approaches.

To quote the ICO: “If your website uses cookies and you are not doing anything to get consent then you are not compliant.” So you must start taking steps before May 26th, 2012.

Useful links:

ICO: Confidentiality of Communications Guide (Cookies)

ICO Half Time Report

ICO on Twitter

Lewis Silkin on the DCMS and Cookies

All About Cookies from the IAB

Your Online Choices: IAB Guide to Behavioural and Cookies for Consumers