4 Comments

Summary:

Controversial European privacy rules that require websites to inform users about tracking cookies are finally hitting Britain this weekend. But the country’s startups seem to be taking no notice of the law, despite the fact they face up huge fines for non-compliance.

copyright Shutterstock/Kuzmik

· Explainer: What is the European cookie law?
· Context: How Europe is dealing with the cookie crisis

Controversial European privacy rules that require websites to inform users about the cookies are finally hitting Britain this weekend. The country’s startups, however, seem to be taking no notice of them.

“We’re ignoring it and waiting to see who gets sued and what happens,” one London-based startup co-founder told me this week. “We have a ton of revenue-generating work that needs to be done. This is just a distraction that does nothing for the business except waste time and resource.”

The rules, which were originally passed by European regulators in 2009, require users to give consent for non-critical data that websites want to store on their computer — typically through a pop-up dialog telling them about cookies that cover things like advertising and analytics.

But the idea of complying — even if it is the law — doesn’t seem to be cutting much mustard with British web entrepreneurs.

Another unrepentant entrepreneur summed up the mood: he would “ignore it until threatened with legal action,” he told me.

So: what we have is a law that is being ignored by the people it’s meant to apply to. Sound confusing?

That’s because it is. The directive was originally supposed to come into force last year, but when it became apparent that few businesses were ready to cope with the changes by the middle of 2011, Britain’s privacy watchdog, the Information Commissioner’s Office, put the deadline back by a year.

Cookie MonsterTwelve months on, some larger businesses have started to comply with the rules. To take a couple of examples, the Financial Times recently added a pop-up asking users for permission to place tracking cookies, while the BBC has also started asking visitors for their consent.

But the reaction from small companies seems much the same as it was a year ago.

One problem is the half-hearted approach being taken by the ICO, which has never quite bought into the directive. Recently the Information Commissioner David Smith said that although he had the power to fine non-compliant websites as much as £500,000 for breaching privacy regulations, he was not going “suddenly going to launch a torrent of enforcement action.”

Instead, the organization has said it will write to 50 of the U.K.’s most-trafficked websites to remind them of the rules and give them 28 days to comply.

That approach may carry weight with large organizations that don’t want to risk becoming a test case, but it will take forever to trickle down to startup world, where criticism has been vociferous.

Doug Monro of listings startup Adzuna told me that the lack of clarity about the way the rules were supposed to be implemented and enforced simply added to the air of confusion around the issue.

“The rules are clear as mud and, as far as anyone strictly interprets them, stupid,” he said. “Privacy-sensitive users can just change their browser settings or install a tracking-cookie-blocker if they want to reject cookies. The web as we know it would be virtually unusable without any cookies being used, or having to customize my cookie preferences on some pop-up on each of the hundreds of sites I visit.”

Photograph of woman copyright Shutterstock/Kuzmik

You’re subscribed! If you like, you can update your settings

  1. I find two things fascinating about this legislation and the subsequent ICO interpretation. Firstly, I am not clear why the legislation required changing in the first place. The original 2003 act included a stipulation that users were ‘given the opportunity to refuse the storage of or access to that information’. This was replaced with a slightly vaguer stipulation that the user ‘has given his or her consent’. What’s the difference? Was this a grand old waste of parliamentary and ICO thinking time?

    Secondly, is a subtler issue regarding the interpretation of the idea of consent. It seems that consent means ‘agree to our cookies, or you don’t get access to our content’. Is that really consent? Is that really in the spirit of the original EU declaration? Or does this just introduce a usability pain in the neck for users without giving them the ability to chose to opt out of tracking cookies.

  2. Aaron Weissman Friday, May 25, 2012

    Some startups may be ignoring the law, but that’s certainly not the case for everyone.

    We (Team Skimlinks) have met with top commissioner’s from the ICO and found that essentially the law is all about disclosure and education. And companies should be doing this anyways. You do NOT need to get an explicit opt-in for every single person visiting your site, but rather be open and honest about how you track, and inform folks when they visit.

    We’ve put together a blog post answering the FAQs on the EU privacy directive and laid out how companies can be compliant here: http://blog.skimlinks.com/2012/05/03/its-all-about-the-cookies-an-important-update-from-skimlinks/

    Best,
    -Aaron, Marketing Director, Skimlinks

  3. Someone TELL me the true point of this law, if you don’t fell safe online DON’T use the internet!

Comments have been disabled for this post