As of the 26th May your website could be breaking the law – and you could face a penalty fine – if you fail to implement the new ICO Privacy and Electronic Communications Regulations on cookie handling.

The only problem is finding out which side of the law you are on is baffling, and the usability implications of a defensive interpretation of the law are plain nasty.[more]

An example: the ICO have had to implement their regulations on their site to avoid obvious criticism, but if their version is an indication of the intention of the law it needs a major rethink.  If you visit the ICO site a large bar appears at the top of the screen that reads:

“On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.”

Clearly the wording could be better, but the main problem I find is “You may delete and block all cookies from this site, but parts of the site will not work.”  This is the crux of the matter.  Do you really want to offer your visitors the one-click ability to opt out of a technology that is vital to your website?  Especially if the use of the cookie is harmless, as is the case on the ICO site, it’s just used to identify a visitor as they move around the website.  In fact, this is in direct contradiction of their regulations that state “(the regulations) do not apply where the storage or access is strictly necessary for a service requested by the user“.

If you find this confusing you’re not alone. “The delay in the publication of guidance, the lack of clarity and government’s admission that a technical browser-based solution will not be ready by the implementation date has left businesses and organisations in a state of uncertainty,” said Clarie McCracken of Pinsent Masons on the firm’s website: “There is no definitive guidance on how to achieve compliance, leaving businesses and organisations without a firm course of action to ensure that they don’t fall foul of the new cookie laws.”

Solicitor Andrew Sharpe said it was “virtually impossible” to outline for clients the compliance steps necessary for the new law. “The ICO’s guidance does not give any definitive, practical assistance,” he said. “It merely advises that companies review their use of cookies and consider how they may be able to obtain the consent called for by the new regulation.”

Another issue for me is the assumption that the average web user has a deep enough working knowledge of cookies to make a useful decision.  The ICO’s message uses the term “cookie” six times in a few sentences, so they have obviously decided that they are on safe ground, but I think this is assumption is false.  A significant percentage of visitors will by mystified by the term cookie, and most, at best, only have a vague notion of what they are, or any idea of their uses.  At worst, I worry that many visitors will find the warnings similar to the fake “scamware” infection warnings and just leave websites en-masse.

These cookie warnings are also synonymous with desktop PC warnings such as “Downloading files from the internet may harm your computer.  Are you sure you want to continue?”.  Utterly useless, as the PC user has no idea if the file is infected or whether it’s a harmless “Britain’s Got Talent” screen saver.  All they know is they want the file, so they’ll take the risk.  The same will apply to the cookie warnings: “Cookies might be used to track your progress around the internet.  If you don’t accept these cookies our website will not work.”  At best, they accept the cookie and things progress as they are now, at worst they flee the website in a state of FUD (fear, uncertainty, doubt) to use an international website that will not be required to carry such warnings.

Of a bigger concern is the fact that with only a tiny amount of effort from a website owner tracking becomes virtually guaranteed anyway, making these regulations ineffective as well as burdensome – not an encouraging combination.  Technologies such as the JavaScript open source library EverCookie use 13 different methods to track a visitor, of which, despite it’s name, only a couple are traditional cookies, and several of it’s techniques fall well outside the specifics of this Regulation.  EverCookie is so thorough that if you fail to remove just one of the 13 tracking methods it will replace the other 12 on your next visit!  It currently defeats all but one of the browser manufacturers’ dedicated Privacy modes.

However, I do understand the intent.  I find it creepy when I search for a packet of hooks at and then get chased around the internet by Screwfix adverts (for hooks, no less) for the next week.  I dislike it intensely, but there’s a fix already: set your browser to disallow third party cookies (and perhaps Flash cookies) or use Privacy mode – at least these are set and forget solutions, not a nagging prompt on every website.

Perhaps a final consideration is the long reaching consequence of laws like this.  We are all getting very used to free Internet resources, many of which are financed by their advertisers whose bottom line will be hurt by these regulations – if they are effective.  If we are asked to decide between the right to total privacy online – or paying for access to many websites, it isn’t hard to imagine many people are happy with the situation remaining as it currently is – are the consequences really so serious?  Perhaps we should just be educating web users with a realistic expectancy of privacy when online?

In short I feel these new regulations are ambiguous in definition, ineffective against sites set on tracking visitors, harm usability in implementation and will put European websites at a distinct disadvantage.  I can’t wait for my clients to ask me how to comply with them.