If your website uses cookies, then from May 2011 it could be operating unlawfully. While there's some debate about exactly how the new law will be interpreted, site owners need to think now about their response to the looming cookie crisis.

COMPLIANCE

The looming cookie crisis

Cookies are everywhere: a seemingly inextricable part of the way our digital world works. From email bugs to the affiliate-marketing jungle and Google's mighty cookie-based analytics empire, these little text files have helped bring a degree of measurability and customer trackability unparalleled in marketing history.

You can pick up half a dozen cookies just surfing the BBC news over lunchtime — and that's before you even look at sites with third-party ads. Our own site just dumped or read five Google Analytics cookies on your machine as soon as you arrived… hope you don't mind.

Thing is, they're about to become illegal (at least in their current style of use) in about six months' time. And the data that we aggregate from those cookies is going a take a severe knock: we may need to rethink how we do the things we do now.

What you need to know

• In September 2010, the UK government passed through EU legislation that puts tough new controls on the way site cookies are used. The new law will come into effect by May 26th, 2011, at the latest.
• Qwerius is not qualified to give legal advice, but as all of our clients would be affected in some way, we're giving our reading of what we've gleaned. We urge you to talk to your company's advisers for a professional legal interpretation.
• The essence of the new laws: your website must get every visitor's prior and informed consent before you put cookies on their machines, otherwise you will be breaking the law.

Think about the new scenario for a moment:

• A user clicks through to your campaign landing page. Before anything else, you need to put up a dialog pop-up asking them for permission to track them with cookies. You need to give them full information on why cookies are needed, so that their consent (if given) is informed.

A clearly stated exception to this law: those cookies that are 'strictly necessary' to the provision of a service 'explicitly requested' by the user. For example, the cookie your site uses to safely move a user from the Buy button to the Checkout page could be exempt: no prior consent is apparently needed (although, arguably, even here a cookie is not strictly necessary because there are other ways of doing it).

 … You need a website and a financial payback model that will continue to function smoothly without cookies if permission is denied. 

All other cookies are potential targets of the rule that prior consent is necessary. In other words, if you want to track user visits, site activity, advertising messages and the like, you're going to have to ask and receive permission from the user before dumping cookies on her hard drive. The corollary to that is, you need a website and a financial payback model that will continue to function smoothly without cookies if such permission is denied.

• Bear in mind that the current model followed by most UK sites is opt-out: customers come to your site, you load them up with cookies, and then if someone objects they are expected to find, in small grey text somewhere, instructions on how to get rid of the offending strings of text. If you follow that model after May 2011, your site will be breaking the law. The future is opt-in.
• So far, so bad: at least up to this point the wording is pretty unequivocal and the general thrust of the law's intent is clear: Unrequested cookies violate user privacy and are illegal. Period. Opt-in cookies are the future — the only future.
• The obvious potential losers: marketing departments, site managers, analytics teams, advertisers — anyone who has hitherto relied on tracking visitors through cookies.
• As you'd expect, the advertising and analytics industries are up in arms over this: bang goes all the instant trackability, measurability and accountability that we've come to expect from digital marketing.

 The law is clear… opt-in cookies are the future — the only future. 

• But it gets worse. The full wording of the legislation as drafted by the EU lawmakers and rubber-stamped by our parliament is messy: it leaves scope (some say) for a contradictory interpretation.
• The messy bit, specifically, is a kind of advisory comment — not part of the formal law, but intended to provide a guide as to the law's context — tucked in by the lawmakers. It throws everyone from a state of absolutely certain bad news into a state of uncertain pretty lousy news. Qwerius interprets this advisory comment as saying: "You know what we said about how opt-in, explicit, prior, informed consent of cookies is absolutely required? Well, it might be OK if this approval comes indirectly from the user's chosen browser settings rather than an explicit human click on a 'Yes To Cookies' button."
• This doesn't change the general thrust of the law — that opt-in cookies are the only way forward — but it sounds like a sort of sop to those worrying about the damage caused to the whole internet experience if users have to keep accepting and declining cookies as they work through a site. This messy clause appears to say that if the user browser preference is set to accept cookies automatically, that's all the permission you need.
• Advertisers have desperately latched on to this point, saying that if users have their browser settings set to permit cookies (either knowingly or through inaction or ignorance), that constitutes informed consent and it's Business As Usual. But an EU privacy watchdog called the Article 29 Working Party has just published its interpretation of the new law — and it disagrees with this stance. 
It says:
  
  "Consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent… Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user. Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies… It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes."
  
  
• It gets even more complicated in the Article 29 Working Party's interpretation. In a nutshell, it's possible that ad-serving networks might be able to get away with getting user permission once and only once for the entire network and for the sites served with ads by that network. But users would have to renew permission once a year, and would be able to withdraw permission at any time.

The way we see it

• Regardless of who wins the argument about that messy 'clarifier' from the lawmakers, everything changes for cookie-dispensing sites from May 2011.
• Today's cookie practices will become illegal at that time. You will no longer be able to plant cookies and ask the user to delete-and-forgive later.
• Opt-in cookies are the future — the only future. Plan for it. The only variable is just how it's going to be actioned.
• Worst case: It will become illegal to put a cookie on a user's computer, pad, phone or whatever without asking for and receiving their informed consent beforehand. And you probably need to be prepared to demonstrate to some irate EU body somewhere that your single lonely little unrequested shopping-basket cookie is indeed strictly essential.
• Best case: Some reliable legal guidance will be made available between now and May 2011 to explicitly state that it's OK to assume user permission for cookies based solely on their browser settings. At least then we'll have clarity.
• Unthinkable case: There is no clarification provided, and we're all going to have to assume that browser-setting based permission is OK, until someone possibly gets sued and fined.
• Any tracking, measuring or analytics system, or general website mode of operation that's dependent on cookies is going to have to be re-engineered or abandoned. That includes Google Analytics, currently on about 50% of the world's top one million sites — including ours.
• Even if the 'softened' version of the law is adopted (and there's absolutely no reason to think that it will), users will have to be made explicitly aware of their browser settings and their effect on privacy and tracking. That's bound to see a lot of people opt out, and the numbers we all track are going to take a hit. How representative will our performance tracking stats be?

And think about this: this whole thing isn't about cookies. It's about privacy and informed consent. So any solution we come up with has to be above-board. User tracking has to come out into the sunlight once and for all.

Time to talk to your lawyers, perhaps. And to Qwerius: we're working hard on solutions that enable slick Web experiences to stay that way in a cookie-starved world.

Further reading

• The full 96-page EU Directive (you don't have time to read this)
• Nor this one: The Article 29 Data Protection Working Party's opinion on interpreting the new law
• Lengthy but interesting discussion on The Learned Fangirl
• Out-Law's initial posting
• Out-Law's latest posting on this subject
• The Bristows law firm's take on this
• The Register's June 2010 update
• Department for Business Innovation and Skills consultation paper.
• [Added 26-Oct-2010:] Article on cookies on Linklaters website dated 13-Oct-2010)