Kolvin Stone, a partner at law firm Orrick, argues that UK businesses are not significantly disadvantaged by the new EU cookie legislation, particularly compared to their US counterparts.
Over the last year much has been written about the new EU cookie law, some of it bordering on scaremongering and hyperbolic linkbait.
Consistent themes emerge around the impact that it will have on user website journeys, the potential loss of tracking and analytics capabilities for UK businesses and how costs of complying disadvantage UK start-ups as compared to our cousins in the US. It is this last aspect which is particularly uninformed.
As the amnesty period for compliance with the UK cookie law passed this weekend, it is time to look at the evidence and consider how the US – often held up as the flag bearer of freedom and entrepreneurism where starts-ups can prosper free of any intervention from regulators - is dealing with this issue.
For most businesses, this is all they will need to do, at least until more sophisticated browser technology is available, which will not come at a heavy cost or result in any loss of tracking and analytics capabilities. As an industry, is it so bad that we tell our users that we are placing cookies on their computers, and why?
The ICO, probably the most business-friendly privacy regulator in the developed world, has stated that it will adopt a pragmatic approach to compliance and will help businesses comply. This is likely to involve a consideration of an organisation’s resources and the privacy impact of the cookies used. Penalties, particularly fines, are a last resort and are reserved for the most serious contraventions of privacy laws.
This is in stark contrast to the strict enforcement regime followed by the Federal Trade Commission (FTC) in the US. Despite the lack of specifically enumerated rules and regulations, the FTC has commenced dozens of investigations and secured public “consent decrees” – many quite onerous – that are specifically focused on tracking technologies and cookies.
These decrees involve lengthy and expensive investigations, onerous undertakings such as annual privacy audits for a 20 year period and significant six- and seven-figure fines.
In 2011, when San Scout didn’t block flash cookies when providing an opt-out to cookies, the FTC took action that included requiring specified fixes to the website, 5 year opt-outs, homepage notices and in-ad notices. Another example involves Google, which this year is accused of circumventing Apple Safari browser’s to allow cookies to be dropped for advertising contrary to user’s choices.
As Google’s action could put it in breach of an existing consent decree that required a comprehensive privacy programme and 20 years audits for issues with Google Buzz, it is estimated that the fines for this violation could total more than $10 million.
So are UK businesses disadvantaged compared to our US counterparts? I would argue not. We have a business-friendly regulator and rules and guidance on the subject, as opposed to the US, where the enforcement regime is aggressive and punitive in nature, against a backdrop of no specific privacy rules.
Legislators should have differentiated between the different types of cookies and tracking technologies (those that impact on privacy and those that don’t) when setting the rules. But the regulators are doing this and developing a pragmatic approach which we should applaud.
When comparing the US and the UK, the phrase “grass is greener” springs to mind. We need to stop peddling that particular myth and focus on being transparent with our users.
Additional reporting by James Drury-Smith.