The cookie law, “informed consent”, and disability

What happens when governments demand “well-informed consent” from individuals who are unable to provide it? What if access to information or services is conditional upon that consent? Which law wins?

This is an NHS site which has been blocked with an overlay caused by a malfunctioning cookie law compliance solution.
This is an NHS site which has been blocked with an overlay caused by a malfunctioning cookie law compliance solution.

I had an interesting exchange with an individual regarding the EU Cookie Law and the conflicts it creates with other laws, a contradiction I first spotted three years ago before the law came into effect here in the UK. The conflict lies in the EU’s requirement for “well-informed consent”, a process which can easily slide into legal and moral hair-splitting while placing a tremendous burden on the web site administrator.

This individual took his concerns further and ended up with some very interesting information. I post our exchange here anonymously.

“Back when the cookie law first came into effect, I decided to read through the legislation to determine how best to implement it on my clients sites. However, I soon realized that the ICO and EU directive’s explicit requirement for “well informed consent” was problematic at best (I specialize in accessibility on the web).

What if the end user couldn’t give consent due to being subjected to the mental health act (under a duty of care) or in more mainstream circumstances, if they had a disability that impaired or diminished their capacity to give well-informed consent (conditions like cognition disorders, memory disorders or learning disabilities).

My thoughts were… if you demand well-informed consent from people unable to give it, they either give up the right to the enriching technologies, or they have to break the law, claiming they give something they cannot (consent).

So, I rang the ICO, explained my concerns, they referred me to the individual in charge of advising on the directive (Abigail Saul), and she in turn asked me to send it by email to the individual who helped write the law (David J Evans).

I then rang the Equality and Human Rights Commission to ask firstly what their definition of well-informed consent implied under Directive 95/46/EC (the European Data Protection Directive), and if denying disabled users access to cookies on the basis that they can’t give well-informed consent is deemed discriminatory.

The response I got: The Equality and Human Rights commission during two separate calls agreed that if we prevent access to cookies or any technology, by way of demanding something that disabled users may be unable to provide (well-informed consent), they deem it an actionable violation of the Equality Act. The ICO also accepted a possible conflict, but washed their hands of the issue as they have no power over the EU parliament and are just enforcing the act.

The ICO did say they’d be unlikely to pursue those who didn’t comply on the basis of accessibility, and they did remove the “informed consent” paragraph from their advice sheet. But the EU directive still demands it, and the ICO admitted if it’s deemed a violation of the equality act, any EU member state or individual could still take legal action against a site putting accessibility over the directive.

So long story short… if you comply with the cookie law (right to privacy), you violate disability law (rights of the disabled) and vice versa,making all web designers open to potential lawsuits from the opposing camp.

The ICO’s only advice to me has been to ask my local MP to change the Equality Act in order to fix the conflict (I have that in writing). But I’m not willing to mess up a good law (and the rights of disabled people) for that poorly written cookie law.”

I thank the individual for seeking me out to provide this information.

As a profession we are stuck in the quicksand of having to implement EU laws which conflict with other EU laws. What will it take for them to wake up and smell the coffee?

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.