Implementing the Cookie Law: Four Key Questions
On 26 May 2011 the EU Cookie Directive came into law in the UK through Regulations and the ICO Guidance but after a last minute panic, enforcement was suspended for a year. On 26 May 2012 the ICO will start enforcing the law and imposing fines – are you prepared?
Despite the flurry of cookie opt-in notices that have appeared on websites, most UK businesses are still unprepared or unsure of the law. There’s lots of 'guidance' available, though it’s not always comprehensible. We aren't going to replicate that advice here, although we have provided headline actions, rather we are urging you to consider four key questions . . . .
Question One: UK or Europe wide compliance?
The EU Privacy Directive is being implemented differently across Europe. The UK is one of the first countries to implement this directive and at the moment seems to be at the more restrictive end of the spectrum. However, France, Holland, Greece and Norway have all been contemplating a stricter interpretation.
If your website has a European or international audience then you will need to check that the steps you take to comply with the Directive here will be sufficient. The ICO suggests compliance with UK regulation will be a good first step.
Question Two: What kind of cookies?
The International Chamber of Commerce’s (ICC) guidance helpfully separates cookies into four types:
Category 1: strictly necessary cookies
The definition of what is a strictly necessary cookie is quite narrow. Specifically they enable services that visitors have asked for, so for example they might be related to the shopping basket on an ecommerce site. The regulations say that you don’t need an opt-in for these, but it’s highly unlikely that any website will just have this category of cookie.
Category 2: performance cookies
These collect anonymous data on the performance of websites so that they can be improved. Google Analytics falls into this category.
The ICO guidance says ‘provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytic purposes in any consideration of regulatory action’. ‘Highly unlikely’ isn’t quite the same as saying that opting in to Analytics cookies isn’t necessary, but it is probably as close as we will get.
Asking visitors to opt in to performance cookies is tricky, because they are of no direct or immediate value to the visitor. The ICO itself experienced this when it added a cookie opt in banner to its website and the level of traffic recorded in its Analytics dropped by 90%. For most of us Analytics is at the heart of our understanding of what works on our website and a reduced sample of visitors is not a good basis for decision making, so the ICO’s statement about not prioritising action against performance cookies is very welcome.
Category 3: functionality cookies
These remember choices visitors have made to improve their experience of the site, so it might include user name, language, text size etc. A common example of this is the WordPress cookie that identifies if you have been authorised to comment on a blog. It's much easier to explain to users why they might want to use these cookies and often consent can be built into key processes like setting up an account or changing settings.
Category 4: targeting cookies or advertising cookies
These are the cookies that collect information so that ads can be personalised around your browsing habits. Often these are 'third party cookies', dropped by a third party advertising network (like Google) rather than by the website owner. They might also be survey or market research tools.
The water gets particularly murky about who is responsible for consent for third party cookies. If you have third party adverts on your site and/or are using category 4 cookies then arguably it is your responsibility to tell visitors. If you are then processing the information you collect, remember you must also comply with the Data Protection Act.
Different types of cookies require different responses depending on the type of information they collect and the way it is then used.
Question Three: Does your compliance reflect your brand?
How you comply with the regulations is at least partly a brand decision. If you have brand values associated with being trustworthy (which if you are taking payments online you should), then the way you choose to implement the opt-in should reflect this.
The most recent ICO guidances discusses the idea of 'implied consent' and the gap between what the public knows about cookies and the sophistocation of the techniques used by website owners. The emphasis is on openness, transparency and education and for many brands this is a great opportunity to strengthen the customer relationship.
A proportionate response that takes responsibility for the information your website collects is key. The general consensus is that the ICO is unlikely to prosecute companies that don’t meet the ICO guidance if they can show that they have made a genuine effort, but sticking your head in the sand, particularly if you are using cookies to collect and use personal information would be a mistake.
The ICO guidance states that if a complaint is made and there is evidence of a plan for compliance, then they will respond very differently than if nothing at all has been done to comply with the regulations.
Question Four: What is your intention?
OK, this is not to do with the cookie law per se, but there is a point here about why a privacy directive is necessary and the intention behind collecting and storing data, whether or not this involves cookies.
Marketeers have been using personal information to sell stuff for generations. When you use a supermarket loyalty card the supermarkets use data on your buying habits to target ads at you (this is a great article about this), and arguably it's Facebook’s massive bank of personal data that makes it so valuable to investors.
However, category 4 cookies hit a public nerve about what is known about what we do in the privacy of our own homes surfing the net and how this information is used. How businesses use data is an ethical not a legal question and compliance is not simply about complying with the letter of the law; it is about complying with the spirit.
If your intention is to use data in a way that undermines visitors’ privacy – whether or not you are using a cookie – then you are undermining the relationship with your customers and by fuelling public unease about privacy are encouraging even more draconian regulation.
We’ve enjoyed discussions with Neil Howlett a Solicitor at Harris & Harris about the legal side of how the regulations are likely to be interpreted and enforced. Also input from Andy Atkins-Krueger from WebCertain at SMX Advanced about European implementation.
For more information see
• ICO guidance: on the purpose and approach to the regulations
• ICC UK Cookie Guide: on categories of cookies and ways to describe them
• Your Online Choices : Internet Advertising Bureau’s guide to online behavioural advertising and privacy
• AboutCookies.org: advice on how to delete and control cookies on different browsers
• The History of the Do Not Track Header : blog by Christopher Soghoian posted in 2011 about the development of do not track solutions to cookies. Christopher is an online security advisor in the US and this blog is a fascinating insight into the online tracking and government surveillance issues that sit behind the EU Privacy Directive.