EU Cookie Law Mythbusting

Unfortunately things have come to the point where I feel a need to put out a quick FAQ dealing with some misunderstandings about the EU cookie law. As with all my posts, this mainly applies to the cookie law as it has been implemented in the UK.

Myth: The cookie law is dead.
Bustin’: This misunderstanding came out of a well-meaning infographic which Silktide released earlier in the year. Their stance was that the cookie law was dead in the sense that there is neither public nor government interest in the law. While that’s absolutely true, the cookie law is not dead in the sense that it is still the law, it is still on the books, and it is still in force. So yes, legally, it is still alive; but structurally, it has as much relevance as one of those quirky 17th century laws still on the books requiring adult males to carry a blunderbuss outside the village walls. If a lack of public interest mortally wounded the cookie law, the PRISM and NSA revelations inflicted the final blow.
See also: how the UK got this law wrong.

Myth: The EU Cookie Law is a law across the whole continent.
Bustin’: The EU devolved the law to its member states to interpret within the legal guidelines as they saw fit. This means that there is not actually one EU Cookie Law. There are thirty of them. Any product, such as a plugin or script, which promises to make your site compliant with “EU Law” may well be a ripoff, because it has to comply with thirty different interpretations, not one.

The independent advisory group which reports on these issues to the EU notes the thirty laws as a problem and wants the EU to tighten things up, possibly leading to one trans-continental law. As you know by now, the speed of EU deliberation and legislation is positively glacial, so we would not see any changes requiring server-side work until 2016 at the earliest. What will the web look like in 2016, and what will our privacy issues be? Any changes would describe the web as it is now, not as it will be – and therein lies another problem.
See also: how to find out what law your site needs to comply with; how the EU got this dead wrong; how the law might change.

Myth: ICO have failed to enforce the cookie law.
Bustin’: This misunderstanding comes out of a lack of knowledge about how the cookie law works. ICO, the enforcing bureaucracy in the UK, is not actively conducting surveillance of the web looking for cookie law violations on British web sites. Nor are they parking wardens – they do not have a quota of sites to ticket and fine every day. As with all of the data protection issues within their remit, ICO can only respond to complaints made by the public.

Making a complaint to ICO, of course, means having an educated understanding of the issue and a willingness to go through the very long complaint form. As a result, the data we’ve seen so far indicates that the number of legitimate complaints stemming from this law are laughably small. The vast majority of complaints made to ICO about web sites for alleged “cookie” issues have been uninformed, spurious, ad-hominem, or vexatious. As early as February 2012 I warned that this law would be an opportunity for malicious and petty business owners to snitch on competitors for “cookie law violations” as a means of getting one up over them; this is exactly what came to pass.
See also: ICO’s summary reports for Autumn 2013, Summer 2013, Spring 2013, and 2012 aggregated.

Myth: Your business could receive a £500,000 fine!!!
Bustin’: Seriously. STFU. Here’s why.

Myth: We’re phoning from the Information Commissioner’s Office. We’re about to issue a £5,000 fine to your business, but if you do the compliance process now we’ll greatly reduce the fine.
Bustin’: That would be a scam artist calling from an overseas call centre. Perhaps this one, if not another.

Myth: You need to block site visitors who don’t tick your cookie law box, or whatever.
Bustin’: No, you don’t. Kill your popups, your dropdowns, your tick boxes, and all those other things that piss off your site visitors and don’t make any difference to personal privacy.
See also: the cookie law compliance horror show.

From here, you can read all my posts on the EU Cookie Law.

You can also visit my EU Cookie Law Pinterest board.

About the author

Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.