Cookie monsters as websites struggle with new privacy rules

From Sunday, all British businesses should get the informed consent of users before using cookies, under new European guidelines laid down a year ago. Anyone visiting a site for the first time must be informed about how that site’s cookies are set, and how they can control or opt out of them altogether.

Much of the information harvested by cookies is used to target advertising at website users: so, for instance, if you’ve searched one site for details about a new fashion range, you’ll see adverts for that brand popping up whenever you next log on.

According to the Information Commissioner, the public will be able to report any sites which haven’t complied with the new guidelines, which could mean fines of up to £500,000.

But even with a whole twelve months to get organised, a survey by KPMG found that by the end of March, as many as 95% of businesses were not ready for the changes. Most government sites are among them: apparently they are “working to achieve compliance at the earliest possible date”.

Cookies? No thanks

Part of the problem is the considerable amount of work involved in obeying the new rules, which are not completely clear about what is required. Businesses must firstly audit their own website to find out what cookies are involved, along with the level of intrusiveness which they imply.

They will then need to decide what degree of control users can be offered, and update their software to make it happen. Many online businesses are worried that it could end up ruining the consumer experience, by imposing a whole layer of decision making about their privacy settings before they can even get onto the site they were trying to access in the first place.

Some sites have already begun displaying a cookie message, with a ‘no thanks’ option which will basically leave things as they are: a tempting choice for people who don’t have time to start clicking through a range of bewildering alternatives.

Frustrating consumers

But experts fear the new guidelines could end up fustrating consumers as well as businesses. Lindsey Greig, managing editor of the data protection and privacy compliance firm DataGuidance, told Channel 4 News that if compliance was carried out in a crude way, it could end up completely undermining users’ experience.

“Fundamentally, it is about getting to a position where customers don’t get any surprises about what happens to their data, and they understand what will happen to it, and are comfortable and happy about it”, he said. “But the problem is working out how that can happen efficiently.”

Greig said that any solution must be simple to install, and simple to use, or no-one will take it up. “A kind of tick-box compliance would be the worst of all worlds, because it won’t do anything to achieve real privacy”, he explained.

DataGuidance has produced a guide to cookie consent procedures across Europe, and found that almost every country has a different level of regulation, which allows different levels of intrusiveness and privacy. Trying to establish any kind of consistency is a Herculean task.

Getting control

Personal data – and what happens to it – lies at the very heart of our modern technological culture. The vast majority of internet users want to have some say over what happens to their information, and are uneasy about the prospect of it being tracked and sold on without their knowledge.

A survey by the Internet Advertising Bureau shows that half of UK consumers have managed to delete cookies from their computers in the last six months, with one in five deleting them every week. But there are still an awful lot of people who have no idea what they are, or how to control them.

The aim of these new guidelines is to offer consumers a chance to sieze back that control. But online advertising is a lucrative business: it makes up some 28% of Britain’s advertising market, more than the heavily regulated broadcast sector.

Most popular sites have an average of 14 tracking tools on each webpage, according to a survey by Truste. A bland statement offering a ‘Yes’ or ‘No’ opt out is unlikely to offer much protection – and in the meantime, there are already moves to bypass cookies altogether, with new technology allowing data to be tracked from server to server.

According to Lindsey Greig: “It is in the interests of consumers that personal information is protected – but also that users continue to have an easy experience. In the end, we have to find ways to control what happens to it in sensible ways, which satisfies everyone’s concerns about their data being misused.”