Cookie Law Myth-Busting

May 4th, 2012

Topics: Featured, Perspectives, Privacy

(reposted from eCircle.com Best Practice Article)

The deadline is looming.  May 26th ,  2012 will mark the one-year anniversary of the “cookie law” coming into effect. Non-compliant businesses will soon run the risk of facing penalties from the ICO if they don’t meet the regulations.

The cookie law has become one of the most talked about topics in the industry and was a main keynote presentation at eCircle’s  ConnectEurope2012, with so many questions being fired from all angles we didn’t have time to answer them all!  

In this ‘Ask the Experts’ article, eCircle has teamed up with Conrad Bennett from Webtrends, a leading web analytics partner, who led this packed presentation at the event to get these questions answered. Here Conrad explains what the law means for your business and identifies the top 5 myths around this topic.

Currently most businesses seem to be playing a waiting game, at least in public, as no-one wants to be the one to ‘jump first’ and make changes to their website in order to be compliant with the legislation. With the deadline a little over 3 weeks away, this waiting game will become more interesting as the vast majority of sites need to do something to become compliant.

So, with few leads forthcoming from major brands, what actually needs to be done by the deadline?
In simple terms, websites need to tell visitors what cookies they are using, how they are used, and gain visitors’ consent to set those cookies. The pertinent point here is that the consent needs to be explicit – but more on that later.

Although the top-line is relatively simple, a number of myths still persist around the legislation.

Myth #1 – It isn’t law yet

As referenced earlier – the cookie law is a legally binding regulation already. It’s not coming. It’s not on the horizon. It’s here. The one year deadline given by the ICO was put into place to give businesses the time to implement the necessary changes without the threat of penalties. The ICO recognised that it was going to take time for businesses to adapt, and while there is no doubt that many businesses are in the process of finalising their cookie compliance, the fact remains that all websites must be updated by the 26th May, or at the very least be seen to be making a conscious effort to change. If this doesn’t happen, any business which is not compliant will be leaving itself open to some stiff penalties from the ICO.

Myth #2 – It doesn’t apply if your site is hosted elsewhere

One dangerous myth circulating is that if a site is hosted outside the country where the legislation applies, then the law doesn’t need to be adhered to. This is far from the case – if a site has visitors from the countries where the law is in place, it has to comply with the legislation. Strictly speaking, this potentially affects business based anywhere in the world, although quite how that would be enforced is another matter.

While currently in Europe half of the countries have complied (the UK was one of the first to show concrete action), many still need to show definite activity – perhaps surprisingly, countries such as Germany, Italy and the Netherlands have yet to enact legislation.

Myth #3 – I don’t need to do anything – my suppliers have this under control

Site owners are liable for all the cookies on their site. While suppliers and third parties are taking actions to comply, the onus ultimately is on the site owners themselves. It’s also not necessarily in the site owners best interest to rely solely on their suppliers activity – suppliers have their own priorities for compliance, which may not match your own objectives for your site or brand. It will be more beneficial (and result in less drop-out and customer frustration) if there’s a universal cookie opt-in which visitors complete once to give them full access to the site.

Myth #4 – There’s an easy technical solution

There is no simple technical fix for businesses. One option for brands is to not use any cookies – but this isn’t going to be feasible for 99.9% of businesses. Waiting for the browser manufacturers to come up with a solution sounds like an easy way out, however while browser developers are undoubtedly working on making compliant browsers, these won’t be released ahead of the deadline. Additionally, the browsers will be compliant from the point of view of the manufacturers, and not necessarily for the brands’ websites themselves. Brands need to keep in mind that whatever technical solutions others are developing, the best way for them to be prepared and compliant is to take matters into their own hands and ensure their own sites are compliant.

Myth #5 – The legislation means I can’t collect any data

The legislation doesn’t cover general data collection and subject to the normal data protection legislation, there is no problem with collecting data per se. The legislation is designed to provide visitors with the mechanisms to make informed decisions about how their data is collected and used. With the relevant consent in place, analytics can still take place.

The original legislation came out of existing telecoms laws designed to prevent Spam etc. and was enhanced to cover activities like behavioural advertising. Although analytics has been caught up in this because of the blanket approach to the technology used (i.e. cookies), the legislation was never intended to target analytics, or to prevent site owners from being able to measure and improve their sites. The ICO has issued guidance on this, stating that first-party analytics cookies are likely to be considered low priority when it comes to enforcement.

What’s next?

Businesses need to do a ‘cookie audit’ and look at the cookies they are currently using and why. These are a good thing to do as regular practice, but should certainly be done now as businesses will be reviewing their cookie activity in line with the legislation.

Businesses also need to consider what method they are going to use in order to gain consent. Based on the ICO guidance regarding analytics cookies, a number of sources have suggested that explicit consent is not required. This is going to have to be a decision for each business to make for themselves – ultimately there is a trade-off to be made between full compliance and what might be considered enough to avoid enforcement issues from the ICO. Should site owners decide that explicit consent is required, there are a number of options available, each potentially having a different impact on customer opt-in.
The types of consent available include:

• Modal dialogue –an option on the first page to opt-in, outlining the types of cookie, duration of opt-in and a link to further details, privacy policy etc. This can also be used for universal consent (“if you agree, you agree to all cookies on the site”)

• Status bar – giving visitors the option to tick and accept cookies. This will usually overlay the page content itself, and may be seen on every page if they don’t opt-in. By their very nature, these are (and need to be) intrusive to get a response, otherwise visitors will ignore them

• Warning bar – a notification that if visitors enter the site, some cookies will be set. Clicking on a link to go anywhere else on the site is considered to be consent

The first option is likely to be the most preferable for the majority of brands. The key with cookie consent is to remember that the ultimate aim is to get visitors to accept cookies and maximise opt-in, which needs to be done in the most painless way possible. Most people either don’t care about or understand cookies (or both), and as such businesses need to educate visitors about what the cookies will be used for and encourage them to opt-in. There is nothing to be gained by making the consent option unobtrusive, as most visitors will ignore it (as happened to the ICO’s own website).

Many businesses will find that they face a challenge as they look to ensure their sites are compliant while ensuring that visitors opt-in for cookies. It is imperative that brands take action today to be ready – procrastination is no longer an option.

This article is a summary of eCircle’s newsletter “Inside Digital Marketing”. If you wish to receive further news from the email and social media marketing sector please subscribe here

 

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>