Back in 2007, when I decided to start my business, I went to various start-up workshops and seminars run by Business Gateway. Inevitably the evening rolled around when the topic of discussion was how to set up a web site. As a web site designer, I kept my mouth firmly shut and took it as an opportunity to observe what sort of advice startups were receiving from well-meaning generalists who had, themselves, never set up a web site.
One of the things the expert said was that if you have a web site, you have to have a “terms and conditions”. But that, she said, was easy. We merely had to go to the Business Gateway web site and navigate to the “e-commerce” page, and there we would find a template terms and conditions statement waiting for us. All we had to do was copy it, replace all instances of [YOUR BUSINESS NAME] with our business name, and paste the results onto a page on our own web site. And hey, presto! We’d be legally compliant.
Well: if all you have to do to comply with a law is cut and paste a boilerplate piece of text onto a web page, that isn’t much of a compliance process. It isn’t much of a law. There obviously isn’t much of an enforcement structure to regulate it. And the people offering the free boilerplate text have no reason to worry about being held liable for a violation.
Sadly, it’s the same story with the EU Cookie Law in the UK. When a consumer reports a site to ICO as a potential cookie law violator, ICO do a “basic visual audit” of the offending site. They are not looking to see what cookies are in use, what they are doing, or whether or not a cookie compliance process might even be necessary. They are looking for a cookie statement. They are taking what you have said in the cookie statement as your word. They are probably not even reading it.
As the law has been implemented, site owners need not make any effort to improve, or even consider, visitor privacy and consumer choice as part of their cookie law compliance process. The statement is the end goal, not the process of improvement, and the existence of the statement equals a successful implementation.
We should not be surprised, then, that one of the vendors who tried to use the cookie law as a revenue generator has created yet another cookie law compliance “product.” He has set up an automatic cookie statement generator on his web site. All you do is input your details into a form, press a button, and voila! It vomits out a cut and paste cookie statement into your inbox. Paste that, and you’re magically compliant.
I’ll tell you why I am being particularly harsh on this project.
One of the compliance statement vendor’s previous sales tactics was to “name and shame” web sites on Twitter about their cookie use. The goal, presumably, was to scare the general public away from using those web sites, while blackmailing the site’s owner into buying the company’s services.
There were two problems with this tactic. The first was that the “name and shame” process took a numerical approach by stating how many cookies were in a site. The fact is, the number of cookies on a site is completely irrelevant. You can have a site with 500 cookies, all of them good. You can have a site with only one cookie which is completely malicious. So this sales approach played on scaremongering and ignorance.
The second problem was the kind of sites they chose to “name and shame.” One day they tweeted this:
Quite aside from the question of what kind of bloke goes to a p/orn site and thinks “I wonder how many cookies this site uses?”, the site, for what it’s worth, isn’t even based in the EU. The law doesn’t apply.
We had to put up with a lot of ridiculous hype, scaremongering, and outright lies about the cookie law. There came a point where nobody even tried to make a meaningful contribution to the dialogue, and hucksterism prevailed. And a law intended to give web site visitors greater control over their personal privacy and data protection instead became a commercial opportunity to name and shame the number of cookies in Mexican p/orno.
If that’s the best you can offer, it’s time to rethink your marketing strategy. And clearly they have.
So if you want to pat yourself on the back for complying with the EU Cookie Law by vomiting out a cut and paste statement, you now know where to go. After all, it’s all you need to do.
About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and was a professional web site designer from 2007-2015. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.