New Cookie Law Crumbles
June 1st, 2012 by BrightCloudOn 26 May the UK’s Information Commissioner’s Office (ICO) imposed an EU directive designed to protect Internet users’ privacy.
The law says that sites must provide “clear and comprehensive” information about the use of cookies. We’ve see the number of malicious threats attributable to web pages dramatically increasing month by month which actually draws into question the value of any government guidelines regarding cookies.
Cookies are irritating and some of them are dangerous so it’s very nice for the government to give or website owners responsibility to make it clear that cookies are present and the implications of downloading cookies. But what does this really mean?
The regulations say website managers must:
- Tell people that the cookies are there
- Explain what the cookies are doing
- Obtain visitors’ consent to store a cookie on their device
What are Cookies?
Cookies are small files that allow a website to recognise and track users. The ICO groups them into three overlapping groups:
Session Cookies – Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long term and are considered “less privacy intrusive” than persistent cookies.
Persistent Cookies – These remain on the user’s device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.
First and Third-Party Cookies – A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.
It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor’s viewing habits.
On May 28th 2012 The Information Commissioner’s Office (ICO) has issued an update to its guidance on how to comply with the European Cookie Directive on user privacy, which became law in the UK on Saturday. The ICO offers more promotion of the implied consent method for cookie law compliance. The update will increase confusion, by apparently supporting users’ ‘implied consent’ to having their behaviour tracked by cookies.
The change to the guidance (cookies_guidance_v3) gives more backing to implied consent, a method that lets website owners and designers off the hook, as they would not be required to get direct consent from users over installing cookies on machines.
However, the wording of the guidance is still vague enough to leave website owners and developers confused about how to comply with the law. Originally, the law required sites to get permissions from every user, allowing them to track user behaviour using “cookie” code on the user’s computer – the additional space given to “implied consent” suggests it may not be so clear cut any more.
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred,” the updated cookies guidance read. “This might, for example, be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”
The ICO says the rules cover cookies used to provide information to advertisers, count the number of unique visitors to a page and recognise when a user has returned to a site to adjust the content that is subsequently displayed.
However, it says exceptions are likely to be made if the cookie is only being used to ensure a page loads quickly by distributing the workload over several servers, or is employed to track a user as they add goods to a shopping basket.
What does it mean? The ICO said in its guidance that “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.”
The ICO claimed it has always said gaining explicit consent was not the only way that companies could comply. The data protection watchdog said implied consent should not be seen as an easy way out or treated as a euphemism for “doing nothing”.
A blog from Dave Evans, group manager for business and industry at the ICO, attempted to explain what implied consent meant for website owners. “You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand,” Evans added. “Without this understanding you do not have their informed consent,” he said.
“In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.”
The ICO highlighted The Department for Business, Innovation and Skills’ website as an example of how to comply without having to gain explicit consent. The government department simply offers a link through to a page about its cookies and how users can remove them from their machines.
This means most UK businesses and government departments with websites will have to act quickly to ensure that they at least have a compliance plan in place to show the ICO, should it come calling.
The Bright Cloud View
In the potentially this may even encourage users who are not aware of the malicious nature of the web to be less on their guard. Malware, Malbots and other things that hang around on webpages will not be advertised by website owners as cookies but are real and true threats. In fact potentially this directive from the government could be exploited by people and organisations delivering and developing malware.
BrightCloud we advise everybody who uses the Internet to understand the dangers inherent in malware, try looking at the malware report on the blue coat website http://www.bluecoat.com/security/reports=hero. Once you’ve understood what this means to you, your users and your company take action to protect yourselves. A BrightCloud we provide Bluecoat and Webroot web filtering and in fact are able to provide this as a cloud-based service or as an appliance which is managed by the customer or by us.