The Year the Cookie Crumbled?
2011 was predicted to be the year the cookie crumbled. We are not, of course, talking about substandard biscuits, incapable of surviving a two second dunk in a cup of tea, but the electronic kind and their technological equivalents that allow access to, or storage of, information on a user’s computing device. It is these cookies that are relied upon by websites to manage and monetise their online content and services.
The background
On May 26th 2011, the Government implemented into UK law, a revised European Directive on Privacy and Electronic Communications through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 . The new law marks a shift away from the acceptance of the use of cookies provided people were told about their use and how to block them, and introduces a new requirement for consent.
In the data protection world consent is considered to be a freely given, specific and informed act by which a person signifies their agreement to the processing of data relating to them. This interpretation does not, however, fit neatly with the way the internet and cookie technology has 
evolved over the past 15 years, where cookies are often served before the first page request is even loaded. In addition, while browsers have historically had acceptance of cookies as a default setting, the Government does not currently view browser settings as an effective way to show consent, given their current lack of sophistication and because most users do not understand how to change them.
The implications of this change in the law are, therefore, of real significance to online businesses and in recognition of this fact the UK regulator, the Information Commissioner, allowed businesses a period of twelve months (until 26 May 2012) to find ways to comply with the new law during which there will be no enforcement procedures.
Where are we now?
We are now half way to this extended compliance deadline yet there are few visible signs that businesses have taken steps towards ensuring they obtain user consent to cookies. The Information Commissioner has started making noises about businesses sitting on their hands and failing to accept the inevitability of change but making statements such as "the law (for all its faults) is the law, so live with it..." are hardly helpful.
There are a number of reasons for this apparent lack of action. In particular, it is no small undertaking to identify and review the use by a businesses of the cookies it uses across its websites. Some organisations may have an online presence extending to hundreds of different websites. In practice there are many businesses busy grappling with these issues behind the scenes. This process is made more difficult due to the lack of any clear across-the-board technical solution to the problem that does not involve committing a business to significant cost or placing existing revenue models from online advertising in jeopardy (hardly an attractive proposition in the current economic climate).
So what changes have we seen? Well on the basis that any consent must be informed, we are starting to see examples of expanded cookie sections to privacy policies which detail the specific cookies an organisation uses and their purpose, along with clearer links or icons highlighting access to this information from the website. For those websites requiring prior registration, users are starting to be asked to agree to the use of cookies as part of expanded website terms of use. Alternatively, they are being made aware when their selection of a particular preference or setting relies upon the use of a cookie. Yet consent to use of cookies in respect of session or analytics tracking or the use of advertising cookies (which help pay for the free website content we expect) is proving harder to resolve. Self regulatory approaches, while encouraged by the Government, have met with disapproval from the European Data Protection Supervisor and the highly influential Article 29 Working Party and so far, there have been no suggested methods of obtaining consent to the use of advertising or tracking cookies which have met with the approval of both industry and regulators.
Looking ahead to 2012
It would be incorrect to say that nothing is happening and we are likely to see more evidence of measures such as those described above being rolled out as we move closer to May 2012. These issues are likely come to a head in 2012 as the majority of Europe joins the UK in taking steps to implement the revised European law. Although only a handful of countries have successfully implemented the law to date, evidence from draft legislation in other jurisdictions suggests that we are likely to see differing approaches to the strength of consent being required.
2012 may prove to be the crunch year for cookies, particularly with the imminent revision of European data protection legislation which will almost certainly define "consent" for the first time in this context. Certain practical compliance problems still appear intractable and a solution may not be reached in the remaining six month 'compliance holiday' allowed by the UK’s Information Commissioner. Industry and regulators will need to tackle these significant financial and technical difficulties and cooperate to achieve some kind of workable and commercially realistic solution .
For those who have genuinely yet to do anything? Well, six months is not a long time.
If you have any questions on this article please contact us.
Sally Annereau
"2012 will be a crunch year for the cookie as businesses roll out their compliance strategies and the regulator's enforcement amnesty expires in May 2012."
"We are now half way to this extended compliance deadline yet there are few visible signs that businesses have taken steps towards ensuring they obtain user consent to cookies."