Are retailers too complacent about the cookie directive?

In just over a month, websites will be forced to ask permission before placing cookies that track online behaviour onto internet users’ browsers. New research shows that companies might be too complacent about their chances of being prosecuted.


Even though there is widespread discontent among businesses about the EU’s e-Privacy Directive, you can’t say the online industry hasn’t had fair warning. The law has been in place since last May, but the Information Commissioner’s Office (ICO) has given UK companies 12 months to comply.

In that time, there has been relatively little information forthcoming about who is likely to be caught by the regulations, or how to comply with them. So it’s hard to know how well prepared companies will be.

But a report commissioned by consultancy Eccomplished has now provided a snapshot of how 100 online retailers are responding to the legislation. Tellingly, 47% think it won’t apply to them because all the cookies they use are “strictly necessary for the delivery of a service requested by the user”. These are the only cookies that don’t require user consent under the law.

Those retailers might be right. Or it might be that their definition of “strictly necessary” is different from what the ICO’s will be when it eventually needs to take legal action against a website. The fact that almost half of online retailers believe they will be unaffected ought to be a cause for concern, given that the law was designed to place stringent checks on online data collection.

Elsewhere in the study, there is evidence that many retailers remain ignorant of the requirements of the directive. For example, 29% of retailers think cookies from third-party providers placed through their website are not their problem. (They are.)

As regards the mechanisms they plan to use to seek users’ consent to set cookies on their browsers, 63% of retailers intend to take “implicit consent” when a customer requests a service.

What the survey respondents understood by implicit consent is anyone’s guess. It could mean a tick-box and a link to some terms and conditions. Be warned, however, that one of the few pieces of detailed guidance given by the ICO says that users probably need to be told when cookies are set on their browser, they need to be told what they do, and they need to agree to it in advance.

Assuming consumers already understand these things won’t be good enough to comply with the law. So gaining implicit consent, as the ICO defines it, is not likely to be legal. Neither is getting consent retrospectively, after the cookie has been set on the browser.

Nearly two thirds of online retailers say they have responded to the ePrivacy Directive by carrying out an audit of the cookies served by their site, and have updated their privacy policies. But the Eccomplished survey doesn’t investigate how thorough these audits have been, or the competence of those conducting them.

Let’s hope the advice retailers have been taking gives them a better understanding of the law than this survey suggests.