Directive 2009/136/EC implemented in England by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
What an ugly way to describe the new “Cookie Law” which operates from 26 May 2011. To call it instead the new “Cookie Law” sounds so much more appealing, user friendly, delicious even but that is where the metaphor ends.
The new cookie law is undoubtedly the most significant bureaucratically inspired, legally enforced and operationally impossible challenge to the internet in Europe so far. Simply, no one really knows how to collect consent in a way which will keep the ecommerce behind the world wide web running in any meaningful way.
Some will give consent, some won’t and the majority will remain ambivalent to offering consent instead just wanting to get on with booking their travel, buying their ebooks, using their email and watching the latest cat viral on YouTube.
Let’s return for a minute to ugly. Lawyers find that when describing the Cookie Law to businesses ‘ugly’ is the first thought that comes to mind. The web site custodians concerned that big splash consent boxes will harm the user experience and tarnish the sites image. The Information Commissioner’s own compliance with the Cookie Law hasn’t helped with this image of ugly.
Though I’m not sure how some business can contend that getting legal consent via a pop up box is ugly when some businesses are quite happy to splash “rate our site” or “fill in this survey” or advertisements that interrupt the user experience… but I digress.
Ugly won’t work for anyone – so instead, it’s time to reclaim the better connotations for the Cookie Law and turn it into the beautiful swan. Complying with it need not be a hassle and even though the Information Commissioner has issued some guidance on ways in which a company could comply, he remains open minded.
Because of the open-mindedness I took a different approach with the company I work for. It seemed that lawyers are interpreting how to comply (fine) but also suggesting what that should look like (again fine if communicating the ICO guidance, but not fine if beyond providing interpretation). Instead, I threw the challenge onto our design team. I explained the parameters of the Cookie Law as factually as possible and asked them to design ways to comply.
Having designers design for compliance rather than lawyers’ pixel-push compliance on designers is the only way that the individual business will find solutions that not only happen to comply with the Cookies Law but also happen to work for the business. The designers have come up with a range of ideas and solutions to capture and record consent – it’s now just about choosing the one that works for us.
It didn’t stop there. It seemed that this was also a forced opportunity to engage with the customer during the user journey. If the Cookie Law is going to force us to obtain consent – we may as well work with our marketing team too to see what opportunities may exist to improve the customer experience, obtain consent for the Cookie Law and, maybe, just happen to get something useful out of the experience too.
If English internet businesses are going to get through this Cookie Law implementation with sanity still intact and without mass civil rebellion, it seems to this cynical lawyer that looking for the silver lining – or better still, creating your own, is the best hope we have.
westbright.xyz 
I’m curious how you’ve resolved the Catch 22 circular issue of not using cookies to store the “don’t use cookies” response.
Or have you applied the common sense argument of such a cookie being required to make the site function and thus needing to be accepted, while dovetailing with other non-cookie tagging to ensure a current visit is not fettered with repeated “Do you want cookies?” even if the visitor is not blocking them.
Seems a whole heap of folks are getting very hung up about that one bit of silliness, so even a basic reality check on that point would reduce the arm waving, headless chicken routine considerably.
If it’s not a functional cookie then what is it? Analytical? Behavioural? My guess is likely to be functional and even if not, even if the IC rules it requires consent (which would be requiring a feedback loop impossible to close technologically) then I’d be surprised if the IC was going to take action on this given that he has set out his intentions of what is high on his enforcement list.