With accusations of ignorance and fear-mongering coming from both the privacy and the tech-freedom camps, recent new laws surrounding the use of ‘cookies’ have not been without their problems.

A cookie is a small file which is used to assist the operation of websites and is essentially a binary calling card. Each time your browser (whether through a PC, tablet, mobile phone and so on) accesses a website, the website might deposit a cookie onto your hard drive so that, next time you visit the website, it already knows who you are. This can be extremely useful if you regularly use a particular website and you would prefer not to have to type in your name and address every time, or if you have expressed a preference as to how the webpage appears on your screen. On the other hand, cookies are also used for more controversial purposes, such as tracking your journeys through the internet so that advertisers can target you with more focused adverts for things which they think you might want.

In view of the concerns that cookies can be used to build a detailed map of personal data, the European Commission issued a new directive in 2009 amending the regime for electronic communications networks. So far, the UK is one of only a handful of EU member states to have done anything about implementing the directive, which it did recently through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208). Before the amendment, websites were not permitted to store cookies on a user’s computer unless the user had been given sufficient information about what the cookies do and why they are there, and the user was ‘given the opportunity to refuse’ the cookie (regulation 6(2)(b) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)). Now websites cannot store cookies on a user’s computer unless the user has ‘given his or her consent’, having been provided with that information. This is a significant shift from ‘opting out’ to ‘opting in’. Failure to comply may lead to investigation and enforcement by the Information Commissioner’s Office (ICO) and, for persistent offenders, fines of up to £500,000.

How to get consentThe regulations do not prescribe how, or even when, such consent may be given. Critics have argued, and the ICO has agreed, that endless pop-ups requesting consent would ruin the user’s experience.

Adopting the example from the directive, the regulations state that the use of browser settings might be one way to give consent. The browser could be instructed to automatically accept or reject certain types of cookies for particular uses, so that the user is not asked to give consent each time a website is visited. The Department for Culture, Media and Sport (DCMS) and the ICO have championed this, but with a significant health warning that, while there are some cookie-specific browser settings currently available, the technology is not yet good enough to satisfy this requirement. The DCMS has reported that it is working with browser manufacturers such as Microsoft, Mozilla and Google in an attempt to bring the relevant technology up to speed. The government will not seek enforcement of the new regulations until that exercise has been completed, but it seems that developments are still at an early stage. It remains to be seen how the new settings will work or how, if at all, they can be implemented in less-customisable browsers such as mobile phones and palm devices.

The ICO has taken a slightly stronger line, stating that it will allow websites ‘up to 12 months’ (that is to say, until 26 May 2012) to ‘get their house in order’, but failure to do anything towards compliance in the meantime will be taken into account when the ICO does get around to enforcement. The ICO has in fact already received several complaints of non-compliance but, at this stage, is simply writing to the alleged offenders with a warning.

When to get consentThe question of timing has also received some attention. The user’s consent need not be given on every occasion that a cookie is stored by a particular website. It is sufficient that the user give consent on the first occasion. There has been some debate as to whether consent must be obtained before the cookie is deposited by the website, or whether it will be enough to get it afterwards. The DCMS argues that, although prior consent should be the norm, there is no absolute requirement for it. Some say that this flies in the face of the express wording in the regulation (the requirement that the user ‘has given’ – in the past tense – his or her consent). It remains to be seen how significant this issue may become.

‘Strictly necessary’As before, when all that was required was the opportunity to ‘opt out’, there is an exception to the ‘opt in’ consent requirements where the cookie is ‘strictly necessary’ for the provision of a service requested by the user. The European Commission, the DCMS and the ICO appear to agree that this will include cookies such as those expressing language preferences, or cookies for shopping websites which help to remember what has been placed in the user’s ‘basket’. But where is the line drawn between ‘strictly necessary’ and ‘necessary’, or even merely ‘desirable’? The ICO warns that this provision will be ­interpreted narrowly, and makes it clear that the seemingly more controversial use of cookies for tracking and advertising will not be seen as necessary.

Competition riskWebsite developers and their supporters maintain that cookies are harmless, unintrusive and, more importantly, play a key part in analysis of internet usage. Many websites are free for all to access, but to achieve this they are heavily reliant on advertising income. If online advertisers cannot properly analyse internet usage and focus advertisements on their target audience, then that source of funding may dry up, meaning that many websites will simply cease to exist or have to start charging for access. Critics point to this as a major risk to the competitiveness of the UK and the rest of Europe.

On the other hand, privacy campaigners have long been fighting for better regulation of cookies and other means of tracking individuals’ internet use. They argue that most websites will operate just fine without cookies and that it really does not take much to ask the user to express consent. In any case, there is no reason why the internet should not be subject to the same laws and principles as every other aspect of day-to-day life. Of course businesses want to target their marketing as effectively as possible, but that should not be at the expense of the individual’s privacy.

What is clear is that the debate and controversies have not yet been settled, and it is far from clear how websites will be required to deal with this in practice. Unless new browser settings can be developed to satisfy the government and the ICO, I predict that users will see a pop-up box or, as on the ICO’s website, a banner across the top of the webpage requesting consent. That might even be split into two – one consent to remember the user’s details so that the website can show ‘cool stuff’ that would interest the user (following the Amazon model), together with a second optional consent for a wider, and perhaps more controversial, use for tracking the user’s internet voyage. Hopefully, websites and users will have a better idea of where we stand in 12 months.

Jim McDonnell is an associate at DLA Piper