Schrödinger’s Cookie Law: Lessons for the future from ICO’s failed implementation

In every web design and development studio in the UK there is a cardboard box sitting in the corner containing an inbred cat called Cookie Law. It was someone else’s job to raise, nurture, and feed it, and they did an awful job of it, so we’re stuck with the results. A few months ago Cookie Law hacked up a hairball and peed on the carpet. We put it back in its box, threw a fish in, and heard nothing more. The public interest says we are not allowed to put Cookie Law out of its misery; that is someone else’s job. But all things considered, we’re not too bothered about opening the box to check if it’s already been done for us. Every time we’ve tried, the studio has stank to holy hell for days.

Now that the dust has settled and the cat is in the box, we can look back reflectively at a bizarre year when the craft of web design itself was placed in limbo by the botched implementation of the EU Cookie Law. One year on, no one is talking about the law’s success in addressing privacy issues, ensuring data privacy, or making the web a better place to be. And you will be hard pressed to find any web designer or developer, anywhere, who benefited from the law – except those with a personal financial interest in the process. In fact, the only positive lesson the web design and development community has been able to take away is the satisfaction of being proven right for sticking to their principles.

So what lessons can we take from the EU Cookie Law debacle – speaking from the perspective of its implementation in the United Kingdom by the Information Commissioner’s Office (ICO) – to ensure that future laws regulating the craft of web design do not repeat these mistakes?

1. Don’t move the goalposts

This is the most obvious, and most painful, lesson learnt. When it came to our national implementation of the EU Cookie Law, the UK has had one year of planning (2010), one year of buildup (2011), one year of implementation (2012), and one year of evaluation (2013). We might as well be talking about four different laws. In each year, the guidance on theoretical and practical implementation was, and still is, completely different. I personally have had to deliver two public presentations and write thirteen lengthy blog posts on the issue just to get to grips with it, and I am a full time professional. What hope does the general public have, then, of knowing that the information they are reading is current and accurate, much less correctly implemented?

The endless goalpost switching would have been a shock to me had I not gone through the lengthy and expensive processes of securing three cumulative visas, followed by British Citizenship, with the Home Office and UK Border Agency. Because of that, the UK’s cookie law saga was depressingly familiar. It did not matter which hoops you had jumped through, which boxes you had ticked, or which compliance fees you had already paid. The implementing bureaucracy reserved the right to change the rules at any time, regardless of where you were in the compliance process. They also chose to announce those changes through passing references in mainstream media rather than direct communication with the people affected by them. And, as with immigration, the little guys who were doing nothing wrong were condemned as dirty lawbreakers thanks to the selfishness of a tiny and high-profile few.

To paraphrase my old Dilbert coffee mug: failure to correctly implement a law on your part does not constitute a failure to correctly implement a law on my part.

2. Engage with the people who actually implement your law

In the run-up to the cookie law’s implementation, ICO chose to engage with the data protection and security community rather than the web design and development community. Chaos ensued. This is not meant as any sort of degradation or insult to our fine colleagues in the data protection and security community. I say this with all due respect: these particular professionals do not code HTML, PHP, js, and CSS. The cookie law was seen from a purely theoretical perspective by people who had no idea how practical code affects things like usability, accessibility, SEO, and analytics. When it came to physically placing the cookie law into web sites, the web design and development community was left completely alone, resulting in confusion amongst the good guys and hucksterism amongst the bad ones.

In explaining the law to the general (non-geek) public, ICO chose a mainstream media route, which resulted in “education” like this utterly ignorant news report placed by ICO’s PR. See if you can get through more than 60 seconds of it before having your intelligence insulted to the point where you have to switch it off.

The success of your project is contingent on your willingness to move out of your own comfort zone. That may mean engaging with audiences who are going to hate what you have to say.

3. Get your own house in order

When an Australian scammer instructed a Filipino call centre to phone up UK businesses, claim to be ICO, and threaten hefty spot fines if the business did not agree to pay for an immediate “cookie law audit,” a part of me had to give him a round of applause. Why? Because he was more on the ball than the cookie law’s own overseers. While ICO were still scratching their heads trying to figure out how to process complaints, much less punish transgressions, raw capitalism rushed in to fill their intellectual vacuum.

Now most organisations, upon learning that a scammer was claiming to be them, would immediately issue a statement decrying the scam and clarifying the situation to the vulnerable public. Not ICO, who had to be personally forced by me to make any sort of comment. And that comment indicated that they viewed the scam as an issue of brand infringement, not public protection. You really had to wonder what planet they were on.

Later on, when professional cheeky sods Silktide publicly challenged ICO to sue them over their cookie law noncompliance, ICO humiliated themselves with this tweet:


Name any organisation where a social media officer is permitted to issue an authoritative judgement on a company’s legal compliance. There isn’t one, not even ICO. By trying to seem like they were down with the kids, ICO fell for the trap hook, line, and sinker.

Don’t claim the moral authority to tell people you know best what they need in their house when you can’t get your own house in order first.

This post discussed how a bureaucracy botched the cookie law’s implementation in one country. In my next post, I’ll discuss where the EU itself went wrong across the whole continent.

2 thoughts on “Schrödinger’s Cookie Law: Lessons for the future from ICO’s failed implementation

Comments are closed.