Tuesday, 13 October 2015
Opinion: Cookie's Law
I've got another email in my in-box from our software house about cookie compliance, suggesting we spend money upgrading the compliance statement to a full 'explicit consent' opt-in. But with 'enforcement' of the 'cookie laws' in such a mess and talk of further reform in 2016, should we really be spending money on this?
Quick reminder first off: what is a "cookie"?
A cookie is a small text file, downloaded onto a user’s device when browsing a website. Intended to track the user's activity and personalise the user experience, cookies can be useful for keeping you logged-in or saving your site preferences. That's tracking as a benefit. Cookies also present a danger of surveillance and breach of privacy, with massive technical scope for snooping and dialling home much user information.
According to a report from the UK Information Commissioner's Office (ICO) the UK uses the most cookies of any EU country. UK companies have taken several approaches to the Cookie Consent issue.
While retailers Marks & Spencer and Currys add a small 'cookies' link in the footer of their website, tour operator Thomas Cook puts the link at the top of their page; Expedia puts a simple link with an icon in the website header. Elsewhere, there has been a massive deployment of bannersand pop-ups on first page-load, with an explicit acknowledgement button to close it; all cookie-driven, of course.
In these cases, site operators are either relying on "implied consent", assuming that visitors seeing a notice and continuing to browse must be OK with cookies, or by deploying "explicit consent" banners and buttons, taking a risk-averse approach - not to customer privacy, but to the threat of being sued by the EU or national regulators.
The answer, in this globalised, cross-border world of the Internet and Cloud computing, is: nobody knows. You can inventory the cookies deployed, but it's almost impossible to track what happens to the data they transmit back to the servers, how and to whom it is then passed, who looks at it, how they aggregate it and what they do with it.
This is the failure of International regulation. But there's a far more sinister threat to data privacy.
Between the NSA, GCHQ, FSB, Chinese Red Army, Russian Mafia, Nigerian Generals, Google, Amazon and Readers' Digest, I find it difficult to treat cookies as a serious privacy invasion. RC