This week marks the introduction of the Information Commissioner's new laws on privacy and online data retention.
The cookie law is introduced this week and, as announced by SC Magazine in March, websites will have to gain ‘explicit consent' from visitors to store or access information on their computers from Thursday 26th May.
The law comes as part of a European Union law on cookies and, in short, it will affect any business that tracks users via their cookies. It will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store and retrieve usage information from users' computers.
Speaking at the Infosecurity Europe 2011 event in April, deputy information commissioner David Smith said that a lot of attention has been paid to the ‘consent to cookie' and he said that the directive behind the new law regards any storage of information on a user, ‘which is not strictly necessary for the provision of the service'.
He said: “It should and only take place with consent of the user and there is a substantial change where it is less about the user. Is it strictly necessary for the provision of service? While it is not strictly about the delivery of messages, there may be security considerations in the way in which security is used in the other information.
“It is a substantial change and there will be an easing in period where we will suspend enforcement action, but the regulations do mean this has to be taken seriously. It is the operator of the website who is responsible for complying with these regulations and their implementation.”
Stewart Room, partner at Field Fisher Waterhouse, previously said that 25th May is the date for all websites to have in the diary and he expected the rules to firm up pretty quickly.
Speaking to SC Magazine last week, Room said that the new cookies law will be a massive deal and more importantly, it will be difficult too, as cookies are visible and obvious.
“With a data breach you cannot see it and with cookies you can, so it is a visible process. The Information Commissioner's Office (ICO) will be looking at usual suspects, the people that they do not like and so the next stage is a cookie audit and is a relatively simplistic process. It will be quite easy to present a complaint and evidence to the ICO with a tool on the web,” he said.
“Public awareness will grow and the online advertising model and its surveillance will be an issue where problems will come. A security breach is an unintended consequence, as no business sets itself up to fail, but businesses using cookies set themselves up as a visible part of the process. I think the ICO will be inundated and the argument for business is that they can hide in midst of a group as billions of websites will be like this.”
Margaret Graham, privacy manager for Fujitsu in the UK and Ireland, highlighted an ‘opt-in' system for cookies that she said would make it difficult for the media to build advertising revenues online and that browsing the web would become a less rewarding and more frustrating user experience.
She said: “This would result in a switch by consumers from using EU websites to non-EU websites and therefore damage EU business. Currently, the government is clear that it will take time for meaningful solutions to be developed, evaluated and rolled out and recognises that this could cause uncertainty for businesses and consumers.
Peter Gooch, privacy expert at Deloitte, also said that he anticipated a pragmatic approach from the government and the ICO, given how difficult it would be to require consent for every cookie from users.
He said: “The new guidelines do not yet allow the use of browser settings to do this and require businesses to gain consent another way if they wish to store a cookie on an individual's device.
“Although there are narrow exceptions, this is likely to be a challenge for many organisations hoping to comply with the new legislation by the deadline. However, the ICO has yet to release its enforcement guidelines, so to some extent it still remains a waiting game to see how quickly organisations will have to get their cookie strategies in order.
“The guidance is useful in setting out various options on how consent may be gained, but this doesn't take away from the fact that they recommend organisations to start planning their approach now and at the very least, understand what cookies they are using and determine how intrusive they are to users. Since there is no ‘one-size-fits-all' approach here, businesses will need to implement a solution that best reflects how their website operates so that users are fully aware of what they are agreeing to.”
So how much will this impact users? After all, this could be all encompassing to cover what music shops know about what you like to listen to or what adverts are displayed on Google or YouTube.
I asked Frank Coggrave, general manager EMEA at Guidance Software, on what he thought of the impact on web users. He said: “If you are a good organisation it is likely that you will adopt that and there will be no problem, what people are worried about is people who are not asking and dumping stuff on your computer. There is no difference on the security point of view, do I want Google knowing everything I do? I would prefer Google to know that than some other site.”
I have no doubt that there will be an announcement by the ICO this week and many more debates on the new laws before the ICO begins with enforcement against those not doing things right. Whenever those events happen, the impact of this new world of privacy should not be underestimated.