Opinion: Cookie's Law

NOTE: the contents of this column should in no way be taken as sound legal advice. Or even unsound legal advice.

I've got another email in my in-box from our software house about cookie compliance, suggesting we spend money upgrading the compliance statement to a full 'explicit consent' opt-in. But with 'enforcement' of the 'cookie laws' in such a mess and talk of further reform in 2016, should we really be spending money on this?

Quick reminder first off: what is a "cookie"?

A cookie is a small text file, downloaded onto a user’s device when browsing a website. Intended to track the user's activity and personalise the user experience, cookies can be useful for keeping you logged-in or saving your site preferences. That's tracking as a benefit. Cookies also present a danger of surveillance and breach of privacy, with massive technical scope for snooping and dialling home much user information.

It was for this reason that the European Commission passed an EU 'cookie law',  Directive 2002/58/EC, commonly known as the e-Privacy Directive.  Amended in 2009 by the European Parliament, Article 5(3) made it 'mandatory' to seek user consent before storing any information in a cookie.  The law previously permitted websites to use cookies so long as there was clear advance notice to the user. The intent of the legislation was to protect web users from being tracked on-line. It didn't make very clear how this was to be achieved.

According to a report from the UK Information Commissioner's Office (ICO) the UK uses the most cookies of any EU country. UK companies have taken several approaches to the Cookie Consent issue.

While retailers Marks & Spencer and Currys add a small 'cookies' link in the footer of their website, tour operator Thomas Cook puts the link at the top of their page; Expedia puts a simple link with an icon in the website header. Elsewhere, there has been a massive deployment of bannersand pop-ups on first page-load, with an explicit acknowledgement button to close it; all cookie-driven, of course.

In these cases, site operators are either relying on "implied consent", assuming that  visitors seeing a notice and continuing to browse must be OK with cookies, or by deploying "explicit consent" banners and buttons, taking a risk-averse approach - not to customer privacy, but to the threat of being sued by the EU or national regulators.

While all of these may think they are following the poorly-written  'letter' of the law, all these sites continue to pile up cookies in user's web browsers, simultaneously engaging in a major box-ticking exercise which doesn't address the issue; nearly all sites deploy and use cookies - the question is what is done with the information collected through cookies?

The answer, in this globalised, cross-border world of the Internet and Cloud computing, is: nobody knows. You can inventory the cookies deployed, but it's almost impossible to track what happens to the data they transmit back to the servers, how and to whom it is then passed, who looks at it, how they aggregate it and what they do with it.

This is the failure of International regulation. But there's a far more sinister threat to data privacy.

Between the NSA, GCHQ, FSB, Chinese Red Army, Russian Mafia, Nigerian Generals, Google, Amazon and Readers' Digest, I find it difficult to treat cookies as a serious privacy invasion. RC