May 25, 2012
On May 26, 2011, a new web privacy law came into effect in the United Kingdom (UK). The UK was first of the 27 European Union (EU) states to bring their laws in line with the directive intended to protect the privacy of individuals within the EU. With an understanding that there is work to be done and technical issues to resolve, the UK Government extended a one-year grace period for web sites to comply with the new regulations.
Well, the time as come! Effective tomorrow, the grace period is over and the Information Commissioners Office (ICO) will be authorized to impose fines of up to £500,000 — heavy!. In theory, all web sites that serve UK visitors would be subject to this legislation. In reality however, it will be very hard to pursue a case against companies with no legal presence in the EU.
While a few organizations may be looking to leverage web server locations as a scapegoat, it is the location of the legal entities that the enforcement agencies will be focused on– the web host locations won’t matter. There are many types of cookies and forms of consent, so the rules can get pretty complicated. 
So before you decide to cuddle with the cookie monster, consider that he can complicate your life and confine your business. For example, the legislation does not require consent for cookies to be used in situations defined as ‘strictly necessary’ — but what does that mean? As currently clarified, if a user has placed an order online, then it’s implied by the user’s initial request that permission be granted without further consent to interfere with the transaction. This is just one example of an exemption to the consent requirement, and there are likely to be many more as the battle continues. Very few precedents have been set, so it will be interesting to watch the progression in Europe — and to compare and contrast with the ‘Do Not Track’ agendas in the United States.
To further complicate the legislative implications, take a peek at the definition of “Consent” as noted in the Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies: “Consent” is defined in the Data Protection Directive as “any freely given specific and informed indication of his wishes.” Note that there are no time constraints associated with this definition, and no specification that the consent must be “prior consent”. Therefore, it is possible that consent may be given after or during processing.
While a few of us may start to feel better about our online privacy, and I’d expect virtually none from the online marketing communities, this legislation has negative implications. The efforts required to acquire informed consent on the use of cookies are likely to be costly for web site owners and businesses. Non-compliant web site owners will have an advantage as well, because their users will not be faced with questions that interfere with their browsing and buying activities.
Is the EU agenda overkill? Why can’t we just rely on innovative solutions that work with our browsers, like Ghostery for instance, to give us better insight and control?
To learn more about online behavioral advertising using cookies, take a look at the video below from Christina Tsuei at The Wall Street Journal. This was created back in 2010, but still very relevant and helpful for understanding how cookies work.
