Simple steps to become cookie compliant
19 January 2012On 26th May 2011 the law in the UK changed, making it illegal to place cookies (those small text files that are the foundation of many website functions and the basis for digital marketing analysis) on a user’s device without their consent. If you own a website that is setting cookies without getting consent then you’re breaking the law – and latest reports show that most organisations underestimate the volume of cookies on their site by about 80%.
Many are now aware of the change in law, but most businesses have yet to react – despite potential fines of up to £500,000. In October this year, Christopher Graham, Information Commissioner, commented: “I still think there are a fair number of people in the advertising business and the website business who are in denial about this… However much you don’t like it… Consent for cookies is the law.”
So why have so few businesses yet to do anything about this legislation?
Is it complacency?
That appears to be the opinion of the Information Commissioner. However, according to research from Affilinet, only 12% of marketers who responded to a recent survey believe that businesses will be able to engage consumers successfully without the use of cookies. So, clearly, there is a sense within the industry that a significant increase in cookie opt-out will have serious repercussions for online marketing.
Do some think that technology is going to resolve this before businesses need to react?
Possibly, yes, as there has been a lot of noise about technology developments in this space. However, it is a false hope to think this will be in place any time soon.
The UK government has been vocal in its belief that, with some development, browser settings may provide a means to indicate user consent (or lack thereof). In theory, it does make sense that three main browsers (IE, Firefox, Chrome) need to be changed rather than thousands of websites. However, in practice, this is ignoring some clear stalling points. Firstly, all three browsers are primarily headquartered outside the EU and so have only a limited incentive to change a global system for the sake of one region – and a region that has multiple variations of the law. Secondly, the organisations behind these platforms are competitors and have limited incentive to work together. Finally, even if new browser versions are released, they will take time to be adopted by users. Browser negotiations are underway but, realistically, development will be too slow to have a solution in place in less than 12 – 18 months.
Another vocal group is the IAB, which is rolling out an icon based self-regulatory program for online behavioural advertising. The role of this program is to provide consumers with easy access to information on, and control mechanisms for, targeted advertising. However, while this forms part of the UK Government’s ‘ecology of solutions’, this program isn’t sufficient to meet the law as it only covers some uses of cookies. In fact, the IAB themselves have always said this program began development before the change in law and is intended to support best practice and not legal compliance.
Are there organisational barriers within the business themselves?
Again, the answer to this is probably yes (in some instances). This is an issue that falls across legal, compliance, marketing, and web dev departments. Such businesses may struggle to find the issue a home and develop the necessary inter-departmental working groups.
Or is it just a lack of clear understanding of what businesses need to do?
This is probably the primary reason for lack of action to date. What the ICO fail to acknowledge in their statement is that their initial guidance on this topic didn’t clarify a number of key points, leaving businesses uncertain as to how to find a balance between compliance and creating a negative user experience.
Fortunately, the latest set of guidance, released 13th Nov 2011, not only resolves some of those missing details but also takes a practical approach that should be a welcome relief to the industry:
- Prior consent remains recommended but is not mandated as it is recognised some cookies are set as soon as a user accesses a site. However, notification must be prominent, understandable, and delivered soon after setting cookies – for example an on-page icon linking to specifics about cookie use
- Prior consent should be achieved where possible. Where mechanisms for ‘active consent’ (getting someone to tick a box saying I agree) already exist (registration, purchase pages, settings alterations) these should be used. Only where that’s not practical will enhanced notice be enough
- Information about cookie use should be clearly understandable and focus more on role and benefit rather than specific details of every cookie
- Linked to this, consent can be inferred only so long as it’s reasonable to expect a user has seen educational messaging about cookie use onsite. In part this will require industry initiatives such as Google’s current poster campaign, but websites should also use the same promotional mechanisms they would use to promote any other news (social feeds, newsletters, latest news sections)
- In practice sites will need to take responsibility for securing consent for any 3rd party cookies delivered while the user is on the site but consent can be given for groups of cookie by function rather than requiring individual notification by cookie
- ‘Strictly necessary’ cookies, which are exempt from the law, are better defined and further examples given
So what does all this mean for website owning businesses?
Given the practical stance now taken by the ICO, it’s finally possible for businesses to proceed in making themselves compliant and inaction is no longer excusable.
As a result, Media Contacts have developed some simple steps to help get businesses to compliance:
- Double-check to make sure you know all the properties in your web estate as you will need to make them all compliant
- Work with us to help you audit the cookies on your sites and explain their uses
- Work with us to create a dedicated page on your site that explains the types of cookies you use, their role, and how users can opt out if they wish. This can be an extension of your existing privacy policy
- Identify how you can create a prominent link to this section on any pages where a user is likely to enter the site (e.g. a header link or clickable icon)
- Identify the promotional mechanisms you can use to raise awareness amongst your user base (social feeds, newsletters, etc.)
- Identify the touchpoints where you can gain active consent (acceptance of T&Cs, notification next to key navigational buttons, etc.)
- Link to industry education efforts such as http://www.youronlinechoices.com/uk/
For more information on any of this please contact christopher.swarbrick@uk.mediacontacts.com