May 25, 2011 | Jim Killock

Ed Vaizey says Cookie Directive is in effect meaningless

Today’s advice from DCMS shows that the UK has no intention of implementing any form of meaningful consent for tracking from advertising companies.

Today, more or less every Internet user is spied on by advertising companies, who use cookies to see what sites you visit, create a profile about your interests and then serve adverts to reflect these interests.

Cookies weren’t meant to be used like this. They were designed to help a website know if you’d logged in, or placed items in a shopping basket, by tracking who you were. Unfortunately this tracking has been extended to profile your movements around commercial sites purely to help advertisers.

Because profiling people’s interests without consent is morally reprehensible, and an attack on our fundamental right to privacy, the EU chose to legislate to require consent. The new “Cookie” Directive however, omitted the word “prior” from the definition of consent. Advertisers – and now the UK government – are arguing that “browser settings may give consumers a way to indicate their consent to cookies.”

However, Ed Vaizey states:

in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing.

That is, basically, forget it. Consent is impractical, so is implied by your browser settings when you permit cookies, so you’ve agreed to be profiled.

For the record, I haven’t agreed to be profiled. Have you?



Comments (25)

  1. Matt:
    May 25, 2011 at 11:53 AM

    I understand your point in one respect (the idea of consenting to have information about yourself used by a company is entirely fair and right) but I would take the stance that if you do not wish for whatever reason for advertisers to advertise to you products your are more likely to be interested in then you already have the ability to opt out with a variety of permissions setting on your browser. I am of the opinion that everything you do online outside of SSL secured areas is free for all to see in the way everything you do in the real world outside of your house is free for all to see, I even quite like that I get served with adverts for new cameras and design related subjects (as this is my job) and not with say exercise equipment or feminine products. Advertising is part of the culture we live in and most educated people are aware of when they are being advertised to advertisers having information regarding what we like and don't like is hardly the biggest breach of our liberties currently in progress.

  2. Gervase Markham:
    May 25, 2011 at 01:05 PM

    “browser settings may give consumers a way to indicate their consent to cookies.”

    Well, that's what Do Not Track is all about. In the few short months since Mozilla introduced it, it's been implemented by every browser except Chrome.

    You can either spend years arguing that tracking should be opt-in (which, in a perfect world, would probably be true), or you can spend the time and effort on encouraging people to switch on DNT. I suspect the latter course will be more fruitful than the former.

    1. Jim Killock:
      May 25, 2011 at 04:16 PM

      I take your point, although I would just say that Do Not Track is designed in the USA where there is no legal presumption of privacy. In Europe, both the fundamental right to privacy and the data protection laws built on it are very clear about needing prior consent to do something which is otherwise protected by your right to privacy. ORG is worried about the erosion of that principle which seems to be taking place in this legislation, and its interpretation.

  3. Denny:
    May 25, 2011 at 02:46 PM

    If they hadn't done such a terrible job of drafting the legislation, businesses would probably have less objections to implementing it. As a web developer it's still unclear to me how I'm supposed to legally implement various standard user-experience tailoring features now. The law should have been more accurately and precisely targeted, then there would be more co-operation from within the web development industry. As it stands, I'm on several mailing lists where people are saying "Compliance with this is, in practical terms, impossible - I'm just going to ignore it". They're not malicious people, they're not tracking anyone for anything other than to make individual websites work as users expect them to. This law is either going to be ignored, or it's going to put UK web developers (and/or their clients) at a noticeable business disadvantage. :(

  4. Jim Killock:
    May 25, 2011 at 03:16 PM

    Hi Denny, it's clear that the Directive is both unclear and somewhat misunderstood. It doesn't target general cookies, as some people have assumed, but, the Commission says, in the case of “data not related to the service currently accessed by the user, the new rules require Member States to ensure users have given their consent before such data is stored or accessed.”

    if they are as you say “not tracking anyone for anything other than to make individual websites work as users expect them to” then they shouldn't be affected by the Directive in any way.

    1. Denny:
      May 25, 2011 at 03:47 PM

      The same advice exempts "cookies that directly relate to the provision of a service explicitly requested by the user". I think it's the definition of 'explicitly' that's worrying people - there would seem to be a potential middle-ground not clearly covered by either the exempt or non-exempt advice. As you say, it's all a bit unclear. Although they do seem to have added 'language prefs' to the list of examples for exemption now, which is promising from my point of view (that and accessibility options were two of the things I was most concerned about, and they seem safer now).

      That said, I'm still worried about the UK's interpretation of the Directive (I assume the Directive has to be implemented by a corresponding UK Act). Parliament's ignorance on technical issues could lead to all kinds of devil in the details... particularly where the Directive is not absolutely clear in its intent.

      1. Owen Blacker:
        May 26, 2011 at 04:25 PM

        (I should disclaim that I'm commenting in a personal capacity, not as a member of the ORG Advisory Council and not on behalf of my employer.)

        Thankfully(?) this is the kind of Directive that gets transposed into UK law by Secondary Legislation, rather than Primary Legislation (so a Statutory Instrument, rather than an Act). So Parliament won't have a say in the wording — they can either accept the DCMS's proposed wording or reject it wholesale, not bicker about that jot and this tittle.

        The SI in question is The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, here:

        The counterpoint to that is that we almost certainly won't get much more clarity than open letters such as the kind we've seen from the ICO and the DCMS already, which isn't exactly helpful.

  5. Andrew Kay:
    May 25, 2011 at 06:44 PM

    I really find this position difficult to understand. Cookies technologically not only require your consent, they require your active cooperation, as your browser has to volunteer the cookie every time it makes a request. Do Not Track sounds like a fine idea if it can have the force of law; that's not going to happen for users in every country. But fundamentally, your browser is actively doing something that you don't want it to do. It's the browser's responsibility to make it easier to not actively cooperate with advertisers you don't want to be tracked by.

    In bizarro-world, mobile phones might be configured to automatically reply to SMS spam, costing you credit. There are many good reasons to outlaw SMS spam, but the real solution to this problem would clearly be to make your phone stop doing that. If that is not easy to do, we should make better phones.

    There are more insidious forms of tracking based on checking browser versions, screen resolutions, etc. which don't require your browser's active cooperation; in these cases, obviously ceasing to cooperate is not an available solution so my argument does not apply.

    1. Denny:
      May 25, 2011 at 06:50 PM

      Don't most browsers now have 'accept all cookies', 'accept only cookies from the site I'm on', and 'accept no cookies', with the default being the first? If I'm remembering that correctly, then pressuring browser distributors to change that default to the middle one might be the fastest effective action to take...

      1. Gervase Markham:
        May 25, 2011 at 07:11 PM

        Any solution which, as yours does, breaks the Facebook "Like" button for the entire web (to give one example among many) is unlikely to fly.

        1. Gervase Markham:
          May 25, 2011 at 07:13 PM

          Actually, you wrote "accept" rather than "send" -- but the longer answer is: vast quantities of research have gone into ways of browsers being able to sort out the bad uses of cookies from the good ones (i.e. ones people want, and will complain if it doesn't work). And no-one has come up with one yet.


        2. Denny:
          May 26, 2011 at 10:56 AM

          I think there's a strong case for saying that the Facebook 'like' button on external sites is at least as serious a privacy concern as Google Analytics (which is what most people favouring this legislation seem to be focusing on).

          1. Jim Killock:
            May 26, 2011 at 12:35 PM

            Exactly so. Facebook – without your consent – follows your progress around the web, wherever their widget is installed. That isn’t “necessary for the operation of a website”, it should require prior consent, and the widget could do its’ job without the tracking.

            1. Owen Blacker:
              May 26, 2011 at 04:30 PM

              Speaking purely hypothetically, and not endorsing any position on the matter, I would guess that Facebook would argue that the Like button (and its other social plugins) would do their job much less effectively if it weren't allowed to store that users are logged in and, thus, incentivise the Like buttons with facepiles and text saying which of your friends already Like whatever it is.

              Indeed, were it not for the change in this Directive, I'd guess they already argue that the user has implicitly given consent by remaining logged into Facebook after leaving the site.

  6. Andrew Kay:
    May 25, 2011 at 06:47 PM

    Your comment system is broken. I tried ten times and it kept telling me I entered the CAPTCHA incorrectly. Then I tried entering an email address into the Email: field and it worked fine. If the error is that I didn't enter an email address, it should not tell me instead that I entered the CAPTCHA incorrectly. Anyway, why do I need an email address?

  7. Anon:
    May 25, 2011 at 07:14 PM

    Re the guy who wants to teach everyone to opt out - dream on. Some geeks don't realise 90% of people never dream of fiddling with browser settings, even if they find out they're there.. in ITaly most teenagers think Facebook is the entirety of the Internet. We are not in JPB's Kansas now.

    Denny - PECR r 6(4) (which you obviously know about, congrats) is designed to meet your needs re "just making the system work". If it doesn't fall within it, that's deliberate - to stop developers (as is currently industry practice) taking the easiest most privacy invasive way to design a system. 6(4)(a) is not well defined but the principle is good. This is only the beginning - bring on Privacy by Design in reforms of the DPD proper. I sympathise though with anyone attenpting to implement the hopeless shambles which is the UK's attempt to dig itself into a hole and keep digging.

    1. Denny:
      May 26, 2011 at 11:04 AM

      The EU Directive seems (possibly, it's unclear to me and many others) to be correctly worded to allow 'normal' functionality-enhancing cookie usage. However, the UK/ICO interpretation of this seems to be far more restrictive. From the ICO guidance:
      "This might include, for example, being asked to agree to a cookie being used for a particular service, such as remembering your preferences on a site."

      That's in direct contradiction of the EU guidance I quoted earlier, which states that (for example) language preference settings do not require explicit prior consent for a cookie to be set. It's this kind of inconsistency which is worrying the web developers I know.

      Speaking of cookies and UX enhancements, is there any particular reason the comment system on this blog doesn't offer to save my name/email/website instead of my having to type it in again each time I post? (And if it did offer that feature, would it now need "(selecting this option will set a cookie on your machine - more information can be found in our [privacy policy])" next to the 'Remember me' tickbox?) :)

  8. RevK:
    May 25, 2011 at 07:24 PM

    I am also puzzled by this concept of getting consent after the fact. Is that like Schroedinger's legislation? Your actions are in a sort of quantum state of legal and illegal at the same time and you don't know until you ask for consent later? That really does not make any sense at all. By that logic I can defend any use of cookies with the "I sincerely hope that one day the users will consent to this retrospectively"...

    1. Denny:
      May 26, 2011 at 12:43 PM

      I'm guessing (wildly) that the intention here is something like "You can set a cookie prior to obtaining consent, as long as you do immediately then request consent, and remove the cookie if consent is refused". Maybe.

      (See also: "It's easier to ask for forgiveness than it is to get permission.")

  9. Jim Killock:
    May 26, 2011 at 01:47 PM

    They don’t know is the short answer. Behavioural advertising previously argued that there is a general “implied” consent from allowing cookies. Now browser settings may be accepted as some sort of informed consent, on the basis that people will be educated about this. Basically, it is nonsense, but the government and regulators do not wish to upset the handful of businesses that make fairly large amounts of money currently. Not that they'd necessarily make so much less if they weren’t profiling people.

  10. Robert Hall:
    May 27, 2011 at 11:46 AM

    Surely the facebook like button cookies would be exempt because they are "strictly necessary" for the provision of a service "explicitly requested" by the user. This means that if a user is clicking the like button then they are requesting a service from facebook. In order to log the user in to their facebook account they have to use cookies. The FB cookies aren't set until a user clicks the button. Only facebook get the information about the user not the website owner. So where’s the problem. As for Google Analytics I personally don't see how this breaches a user’s privacy because there is no personally identifiable information seen by the website owner or Google and tracking stops when they leave the site. If people don’t like being tracked then they should stay off the internet. It’s a fact that tracking is here and it’s here to stay. It’s like asking the Government to abolish all CCTV cameras. It won’t happen and neither will the stopping of cookies. Also I think Ed Vaisey remembers the days when every time you went online you kept getting pestered by pop ups about cookies. He and the Government don’t want that this to happen again because it ruined the browsing experience. They are working with browser developers to find a way to implement a do not track button of some sort. Having pop ups= ruined browsing experience= Very annoyed user. The settings are there if you don’t like cookies then use your settings. I don’t think businesses should have to do anything because the user already has the option to do something. So let the businesses carry out their business activities while you learn how to disable cookies in your browser.

    1. Jim Killock:
      May 27, 2011 at 12:52 PM

      Hi Rob,

      On Facebook, there are two different scenarios, to my mind. If you sign up to FB, they can probably make it a term of service that you will be tracked across the web, and you can agree that, and everything's legal, if rather assymetric.

      If on the other hand you are not a Facebook user, and haven't agreed to be tracked, then you shouldn't be. The widget tracking is not strictly necessary to a webpage, even if the widget is. I think it is unclear currently the extent to which facebook does track you, as logged in, not logged in, and not registered.

      On pop-ups or other explicit permissions, there are only a handful of services that need to request to track, be told yes or no, which can then work out how not to annoy users. The objection from these services is not really customer inconvenience, it is that fewer people would opt in to being spied on, and they would make less money.

    2. Denny:
      May 30, 2011 at 09:16 PM

      (Sorry for late reply)

      The problem with the Facebook 'like' button is that it tracks you even if you never click on it:

  11. Simon Hopkins:
    May 29, 2011 at 06:50 PM

    There should be a compulsory principal of "Opt In", with prior full disclosure of terms and use of data.

    It's not just tracking that is a problem it's what is done with the data.

    In my families case, Google tracked some card purchases and then tied the card details to the Google work account (due to working from home), now others in work (who I delegate to) get to see personal card related data. There was no explicit consent to tie in this personal data.

    Paypal causes problems by linking a shared card account to one single account, this means legitimate purchases by another are blocked. Thus the other person is forced to use a different card. There was no explicit consent for Paypal to tie the card to one account only.

  12. Simon Hopkins:
    Jun 01, 2011 at 11:04 AM


    In work we've looked at this long and hard, the solution we are implementing is the Share Button, this only tracks the links you send through Face Book to others, not the other pages you may visit.

    Web Pages linking to another are called the Referrer and the referrer URL has always (since the beginning of the web) been passed to the linked page server when you click the link, thus using the Share Button, changes nothing, it's the best we can do.