Not too long ago, I wrote a post on the new Cookie law (which included a good Cookie recipe too, so if you still haven’t read it, you have more than one reason to do so now!).
Here is how it all came to be…
1990s – a blast from the past
Years and years ago, when I wasn’t born and you were still a child, there was only one understanding of what a ‘cookie’ was: a small sweet cake, typically round, flat, and crisp which goes rather well with milk, coffee, tea or another beverage.
Using the Internet during these days was at quite an early stage – every visit to a website was like a first one. There was nothing like remembering log in details, or getting personalised recommendations on online shopping websites. This was simply because computers were not equipped to record a visitor’s history on said site. Thus, saving and storing information was not possible, and commercial transactions had to be finished all at once. What a great time for online privacy this must have been!!
It wasn’t until roundabout the 1990s, when the Internet had started taking off, when a guy called Lou Montulli, an employee with Netscape Communications, invented the cookie monster as we know it today. The new technology was initially called a “persistent client state object,” but its name was later changed to the jazzier “cookie” after the Unix platform at the time called “magic cookie”.
While you can’t munch a computer cookie with a glass of milk or hot coffee, it is thanks to it that Internet surfing is as user-friendly as we know it today.
So we all lived happily ever after with this new discovery, as the Internet advanced even more and websites such as eBay, Amazon, and the Social Network (Facebook that is) came about. The use of cookies was convenient for users because they could easily shop online, return to their favourite websites without having to log in each time, and get personalised recommendations based on their browsing history. Of course, the majority of people was blissfully ignorant about how this all happened but they did get what they wanted, and so did website owners, who gradually learned how to use cookies for their best advantage. Online advertising came to be which gradually led to another concern…
What about privacy?!
Whilst users had the option to disable cookies from their browser settings quite early on, as I said, the majority of website users didn’t have sufficient information which could enable them to do this.
Then came November 2009 though when the European Union became concerned about internet users’ privacy and data protection, so they decided to change the requirements that online providers must meet when using cookies from what was called ‘opt-out regime’ to a requirement for informed consent. This is contained in article 5(3) of the E-Privacy Directive (revised Directive 2002/58/EC). Member States had to implement a change into their domestic laws which would now require that website providers would (i) seek the user’s consent prior to placing cookies onto their device and (ii) provide them with sufficient information about what cookies are and how they are used.
The new Cookie law took effect in the UK on 26 May 2012. It was a change quite hard to digest, particularly with the lack of a single recommended practice and with the 11th hour change in the ICO guidance on the implementation of the law. Read more about it all in my previous post on the topic.
What about Businesses?!
Over 4 months later now, and you may be wondering how far have UK businesses gone in digesting the cookie law? Not that far is the answer.
A report by KMPG states that around 65% of UK websites are still not notifying their customers before installing tracking cookies. The report further says:
- 12% of the 231 websites studied had implemented prominent privacy notices with robust cookie controls.
- 51% had opted for minimal privacy notices with limited cookie controls.
- 37% did not appear to have taken any steps towards compliance.
How is this possible? Is it scepticism? Is it disagreement that the change is necessary? Lack of understanding on how to go about compliance? Lack of belief that the ICO will take action against non-compliant websites?
A little bit of everything I would say.
It was first the fact that most of the businesses in the UK took the ‘wait and see’ approach, i.e. not quite doing anything until they get better information about how the change is going to work.
Then there was a tiny percentage of businesses that actually took all the steps required by the ICO in anticipation of the change on 26 May 2012. They did their cookie audits, they designed prominent banners that sought the explicit consent of the user. They were well-armed with everything they needed to face the D-Day. Then the ICO changed their mind. They decided implied consent will suffice, just to make it easier on most businesses. And that tiny little percentage of diligent website owners got annoyed. Or confused. Or both..
The ICO stated it had powers to impose a fine on non-compliant web providers by up to £500,000. But that didn’t quite scare website owners still since shortly after, the ICO admitted, well they weren’t quite ready to take action just yet.
This certainly was welcomed by the majority of UK web providers who weren’t very keen on the change in the first place. Well, why would they? The few businesses that became compliant suffered form the consequences of this. They found users weren’t always happy to consent to being ‘stalked’. They lost they Google Analytics statistics. Over 50% of them at least. They weren’t able to know quite as much about their website visitors as they used to. As they wished to. As they could benefit from.
Getting Serious…
Well, the ICO wasn’t happy with this. Neither were the 486 website users who complained of businesses’ non-compliance. And then suddenly, the ICO decided to get serious. It is apparently now set to start taking action against those companies who fail to comply with new regulations.
By now, businesses should be well aware of the change in the law. They’ve had quite a bit of time to take some action towards compliance. They were secretly hoping that they will get away with non-compliance, but sadly, this doesn’t seem to be the case any more.
As ICO’s Group manager Dave Evans recently said
It might be a law they wish didn’t exist, but the simple fact is that it is here to stay. The EU passed the legislation, the Department for Culture, Media and Sport (DCMS) implemented it, and it’s now the ICO’s job to regulate the organisations that have to comply with the law.
And how is the ICO going to go about using their powers? Through a thorough education programme to inform the industry, and strict enforcement work to ensure compliance. Apparently.
A new progress report is to be issued by the ICO in November. It will hopefully show how well have these two objectives been achieved.
In the meantime, if you are a business and want to know more about what the ICO has to say on the issue, read their most recent Cookie guidance.
And if you are a user, and want your voice to be heard too, respond to the ICO’s online cookie concern reporting tool.
Or click on the Comment button and share your view with me!
Thanks for reading. Now have a choc chip cookie! I know I will…
Butterfly Effect 