I have just been pointed in the direction of the new-look ICO website, which now sports this banner at the top of the page (I've added the bold):
On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.
I accept cookies from this site. []
I think most users would agree that the new look is pretty ugly. I think web designers would be sacked if they came up with it. I'm not sure that clients would be very pleased if their lawyers told them to do it either. And worst of all, it doesn't even seem to fix the problem (note the giveaway confession: "one of the cookies we use ... has already been set").
In fairness to Christopher Graham, the Information Commissioner, it's not wholly his fault that he's ended up in this mess. He didn't write the Directive that says that website operators can't use cookies unless they have consented (ie before the cookie is installed). He just had to deal with the backlash from everyone who runs a website (I rather enjoyed this rant from Struan Robertson, then editor of Out-law.com, calling the new law "breathtakingly stupid").
UK law already fudges the issue. The EC Directive doesn't say that browser settings are a legitimate way to get consent but the UK Regs implementing the Directive say:
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
I'm not sold on this at all - if most users don't read their browser settings, isn't it stretching the legal meaning of consent to argue that failing to change a browser setting can amount to consent? Consent has to be informed, specific, freely given and must involve some positive action on the part of the consenter. Surely failing to untick an option hidden away in some options menu in your browser won't work ... ?
The Information Commissioner has been praised for being "pragmatic" in his interpretation of the law - though that sounds like a euphemism for "not doing what the Directive says" to me. Today, he's being even more "pragmatic" and giving website operators a year of non-compliance before he'll do anything about it.
I thought this was also an opportunity to roll out in the post title an old line I wrote in an article in 2003, which I suppose goes to show that the legislators have still not got to grips with what to do with cookies.