Briefing papers

E-commerce and Data protection

The Information Storage and Access Rule: Designing a consent user interface for “Cookies”

Robert Carolina


This paper explores the problem of designing an online experience for compliance with the new European rules on end user machine storage and access. This is more commonly known as the “cookie consent” problem. This begins with a review of relevant points from the Directive on privacy and electronic communications, especially the newly adopted rule requiring “consent” when an online service provider wants to store or access data on an end user’s machine. The Directive is NOT a cookie law – rather it is a law that happens to apply to cookies, as well as many other storage and access technologies. The law does not regulate the technology as such. The law regulates how online service providers use storage and access technologies, including cookies.

The paper examines the legal concept of “consent”, and appropriate evidence of consent very much depends upon the circumstances. Actions that create risks, are intrusive, or otherwise seriously violate expectations, usually require a greater degree of evidence to persuade legal authorities that “consent” has been given.

Finally, the paper suggests that the process of demonstrating end user consent is – at heart – a user interface design problem. As such, the consent problem can be solved first by first developing a design brief for a consent user interface. The brief needs to include key messages that explain how and why information is being stored on, or accessed from, an end user’s machine. Interface designers, in consultation with compliance specialists, should then have the information they need to produce an environment that demonstrates appropriate consent.