The 'cookie law' is a privacy trainwreck
By now, UK internet users are probably familiar with major sites asking them to consent to the use of website cookies. This is prompted by the 'cookie law' (aka "Directive 2002/58 on Privacy and Electronic Communications", otherwise known as the E-Privacy Directive), which is proving a privacy trainwreck. Theoretically, the Directive was a good idea - a method of preventing companies secretly following a user from site to site across the web. However, ill-executed law can be worse than no law at all, and the UK's regulator, the Information Commissioner's Office has made a hash of its implementation.
The June Opinion of the Article 29 Data Protection Working Party, a committee made up of privacy regulators from across Europe, states:
Privacy International strongly supports the subsequent paragraph in the June opinion:
In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes. First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy."
We are concerned that the current alternatives to cookies include far more nefarious and invasive tracking mechanisms that are less transparent or not within an individual's influence. The ICO could have chosen to restrict invasive use of tracking, but it chose instead to implement the Directive in a far less helpful way.
It is not reassuring that the ICO fundamentally modified their guidance at the end of the last working day before the law came into force. Privacy protections that require active participation from individuals should operate on the principle of informed consent. With or without consent, minimal processing and retention of personal information should be standard practice.
We call on the ICO to reopen their process, and consult openly with an understanding of implementation to date, the impact that has had, and the work done by the Article 29 working party (in which the ICO is a participating member).