The 'cookie law' is a privacy trainwreck

News & Analysis
The 'cookie law' is a privacy trainwreck

By now, UK internet users are probably familiar with major sites asking them to consent to the use of website cookies. This is prompted by the 'cookie law' (aka "Directive 2002/58 on Privacy and Electronic Communications", otherwise known as the E-Privacy Directive), which is proving a privacy trainwreck. Theoretically, the Directive was a good idea - a method of preventing companies secretly following a user from site to site across the web. However, ill-executed law can be worse than no law at all, and the UK's regulator, the Information Commissioner's Office has made a hash of its implementation.

The current process encourages users to click 'yes' on a popup without reading it, just to make it go away.Individuals should be in control of their privacy, but they should not have to make decisions about it proactively on every website they visit through a nag on the screen. Just as with terms of service agreements that everyone 'agrees to' without a second thought, the ICO's guidance as written can encourage a visitor to agree to any use of cookies, simply because it is almost impossible for Internet users to tell the difference between responsible and irresponsible use. There are concerns here about informed consent - there is incentive to educate users to allow them to tell the difference between heavily invasive tracking and transparent privacy protection technologies.

The June Opinion of the Article 29 Data Protection Working Party, a committee made up of privacy regulators from across Europe, states:

the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses."

PI's site uses cookies in this way for web analytics. They are run by PI itself, and the data is not shared with anyone. We delete the final 25% of the IP address from our records, and, most importantly, we honour DoNotTrack. The data is used to inform PI's mission and operations, and is only ever used in aggregate.
Privacy International strongly supports the subsequent paragraph in the June opinion:

In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes. First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy."

We are concerned that the current alternatives to cookies include far more nefarious and invasive tracking mechanisms that are less transparent or not within an individual's influence. The ICO could have chosen to restrict invasive use of tracking, but it chose instead to implement the Directive in a far less helpful way.
It is not reassuring that the ICO fundamentally modified their guidance at the end of the last working day before the law came into force. Privacy protections that require active participation from individuals should operate on the principle of informed consent. With or without consent, minimal processing and retention of personal information should be standard practice.
We call on the ICO to reopen their process, and consult openly with an understanding of implementation to date, the impact that has had, and the work done by the Article 29 working party (in which the ICO is a participating member).

Learn more