Skip to main content

ICO: browser settings won't satisfy EU cookie law

The Information Commissioner's Office has told UK website owners that they won't be able to rely on settings in web browser software to help them comply with a new EU regulation on cookies, due to come into force at the end of this month.

The latest versions of the four major browsers - Mozilla Firefox, Google Chrome, Microsoft Internet Explorer and Apple's Safari - have all been updated to include more sophisticated cookie controls.

But it seems they're still not sophisticated enough for the privacy watchdog's liking, as the ICO is keen to point out that many users haven't yet upgraded to the latest versions of the software.

Described by Information Commissioner Christopher Graham as "very much a work in progress", the guidance (PDF) issued today directly contradicts suggestions made by the government that anonymous browsing settings could be enough to satisfy the changed rules, due to kick in on 26th May.

"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie," the ICO's guidance states. "So, for now we are advising organisations which use cookies or other means of storing information on a user's equipment that they have to gain consent some other way."

The ICO also acknowledges the increased role that smartphones and tablets play in users' online activity, noting that many people now use apps to access online services rather than browser software - so sites will need to look at methods of informing users irrespective of the way they access online services.

To provide a fool-proof way of informing users that they are being tracked, the ICO suggests alternatives such as pop-up alerts - but admits that these "might well spoil the experience of using a website".

Cookies that are deemed "strictly necessary" for a service that the user has explicitly requested - such as secure logins or checkouts on e-commerce sites - are exempt from the legislation. But for all other purposes - including, for instance, providing customised content on a site's homepage - sites will need to seek the user's consent.

Not that they have to worry about it just yet. Having dropped a few handy hints about compliance, the ICO has restated its intention not to take action against companies that fail to comply. Instead, it plans to investigate sites only after a complaint has been received, and even then it will only ask them to show that they have a "realistic plan to achieve compliance".