The UK’s Information Commissioner has told IT businesses to stop complaining and get on with allowing Internet users to opt out of receiving cookies from corporate websites warning that they cannot rely on browser settings to do the job for them.
The controversial ‘Cookies Directive’ (Directive 2009/136/EC) from the European Commission will become law in the UK, as well as all other European member states, on 26 May and will require companies to obtain "explicit consent" from web users before storing cookies. Cookies are tiny pieces of software that are installed on the user’s computer to remember log-in details and other preferences relating to a particular website. But they can be used to target advertising based on browsing history.
Many companies are reluctant to implement the measures asking for users’ consent to cookies because they fear losing effective tracking information about their website. However, others are confused about how to implement the law in the first place.
“Companies cannot stick their heads in the sand: these regulations are now law,” emphasised Christopher Graham, UK Information Commissioner. “There is a time for lobbying and a time for compliance, and the time for compliance is now. There’s no point fighting battles that you lost two years ago.” The directive was enacted by the European Commission in 2009.
Graham also admitted that it will be difficult for companies to get their houses in order at such short notice, but blamed the British government for not transposing the directive into law sooner. “We couldn’t publish any guidance until the law was published, and our guidance is very much a work in progress,” he explained.
“We are not going to be going in on day one with a heavy hand. There will be a period of grace, but that will not last longer than 12 months. And if I receive complaints on day one - which I will - we will examine how far efforts have been made to comply,” said Graham.
He went on to warn companies that in many cases, browser settings alone will not be sufficient for compliance. “Browser settings won’t help in all instances - for example situations where cookies are intrinsic to the site, such as a ‘shopping cart’. More sophisticated browser settings may help, but we have to wait for browsers to be able to cope,” he said.
This may lead to confusion for companies operating in other European member states, as many are stumped on how to transpose the directive into national law. To date, only the UK and Denmark have done so. What "consent" to cookies requires in practice is not defined in detail in the directive, and some countries are hoping that, in principle, a browser set to “accept cookies” implies consent.
But “the circumstances in which such settings can be considered appropriate for expressing the user's consent depends on how well they meet the general requirements in the legislation”, said European Digital Agenda Commissioner Neelie Kroes.
So far, so unclear.