We look at the implications of Microsoft's recent comments on user control over cookies, the current regulator position and what all this means for the wider web-industry both now and in the future.
Microsoft has previously said it is turning the proposed Do Not Track standard "on" by default in IE 10, to the anger of many in the digital advertising and retargeting space.
It reiterated in December that it is going to stick to this position, but also advocated greater industry dialogue around giving fine control over tracking (and indirectly, cookies) to users.
This position is probably welcome news to EU and UK data protection regulators given the new cookies rules that came into play in May 2012.
The natural consequence of the "consent" that is now required by law to cookies being placed, is the means to manage opt-outs. Some website providers have gone as far as to redesign their sites to achieve this position, but most have not and at present, there is no simple and really effective means by which to manage such opt-outs.
Users have to rely on the present, often crude cookie-management tools presently available in current browsers, which frequently result in a diminished user experience on the one hand, or hardly anything being blocked on the other. The Internet Advertising Bureau's guidance on ad retargeting opt-outs, recently endorsed by the UK Advertising Standard's Authority, gives users another route, but is not well known or particularly well-publicised amongst consumers, and in any case only covers one area of cookies.
In practice, user consent to cookies is therefore something of a "Hobson's choice" between perceived privacy intrusion on the one hand, and clunky web-browsing or simply not using popular sites on the other.
As a practical matter, it would be unquestionably good for users and the global website industry as a whole to have this hole filled once and for all, especially to allow some cookies to be retained by users, and others blocked. Developing controls obviously requires real consensus though. As has been demonstrated with Do Not Track, there are strong vested interests on both sides of the argument.
There is also a balance to be struck in how control given to users. As some commentators have already observed, fine control is not the same as easy or readily understandable control. Facebook's privacy features are often held up as a case in point; they exist and have been revised relatively regularly but their complexity could be argued to breed as much confusion and in turn inactivity, as active control.
The UK Information Commissioner's Office (ICO) and wider EU privacy authorities do not appear (so far as we are aware) to be taking regulatory action on this point at present. To do so would probably be disproportionate in many cases given its systemic nature, however it can only be a matter of time before this issue comes to a head given the increasing profile now attached to cookies and their privacy implications.