ICO's concrete examples give businesses a better chance of meeting cookie law demands

The rules, which became law in the UK in May, force web publishers to make sure they have explicit consent before using cookies.

We have criticised the Information Commissioner's Office (ICO) for failing to provide the kind of direct guidance that businesses who are not experts in data protection law need in order to implement the new rules.

The rules are confusing, they represent a major change to how businesses operate their websites and places new burdens on them that they are finding hard to understand.

But this week the ICO went some way to providing just the help that they need, and all it took was a handful of diagrams. A glance at its ideas of how this might work in its just-published updated guidance (27-page / 341KB PDF) should help businesses to begin to get a grasp of the problem.

Businesses feared that traffic to their sites would melt away once users were asked to consent to cookies, but when you see the kind of forms that could be used to comply with the law this looks pretty unlikely.

This is because people are much more adaptable when using technology than they might be given credit for. They will be faced, increasingly, with small boxes telling them that a site uses cookies. Here are some of their suggestions:

Suggested cookie law-compliant dialogue boxes taken from the ICO's updated guidance, reproduced with the permission of the ICO

There is a perception that cookies are bad and privacy-invading. This is of course not the case, they can be used well or poorly like anything else. But will that perception mean that users refuse to give consent for cookies and accept a more limited web experience because of it?

Perhaps at first. But that perception about cookies will shift, and fast. If they refuse cookies and are then faced, as they will be, with a diminished online experience, they will do their own research into the issue.

And when they do that research they will have more information available than ever,  because sites now have to be more transparent about how they use cookies.

Personalisation is so hard-wired into many web experiences now that losing it will cause users to find out more about them and, in almost all cases, will lead them to decide to accept cookies.

The ICO has said that it will begin enforcement in May 2012. If we look at what the situation will be a year after that, past the initial turmoil of implementation and the unfamiliar boxes that will suddenly appear on all our favourite websites, what are we likely to see?

We will see boxes like those the ICO has published appearing the first time we visit sites. But so many sites demand sign-up or registration now that those little cookie tick boxes will simply form part of an experience we are already well used to.

And will web traffic have fallen dramatically? Will users have deserted the websites of businesses because they are asked about cookies? It is highly unlikely.

So what is it that businesses fear? They fear desertion by users, which is unlikely to happen. They fear extra cost in implementing this, and that is inevitable. Most of all, though, they fear uncertainty about how to implement it. They didn't understand what they were being asked to do or how to do it.

The ICO has done a poor job until now of allaying that last fear, but in finally suggesting concrete approaches that businesses can take to comply they have gone a long way towards laying it to rest.

It does not necessarily mean that this is a great law, or one that was needed. But at least it is one that businesses have a better chance of complying with today than they did last week.

Claire McCracken is a technology law specialist at Pinsent Masons, the law firm behind Out-Law.com