New privacy law on cookies – do we need to take action?

The latest advice on the UK response to revised e-privacy directive on site cookie usage

June 23rd update: The impact of the cookie law on analytics

I find this scary – a death knell to the “most measurable medium anywhere”.  Thanks to analytics specialist Vicky Brock asking for information on visits tracked by Google Analytics to the Information Commissioners website – we can get a pretty good idea on how many would be happy to opt-in to analytics – the answer is very few and certainly enough to skew the stats so they’re meaningless. The massive drop in traffic recorded is due to the implementation of an opt-in to cookies as shown in the next entry in this post. Time to dust off those old log-file based analytics tools in a years time I think…

Vicky filed a freedom of information of information request. Thanks to Mark Brownlow for alerting us to this – she has the full data set here.

May 25th update: New privacy law comes into force

Or does it? We’ve been tracking the Information Commissioner’s website and the latest new privacy law guidance (PDF) on the 25th May states that:

25 May 2011: ICO gives website owners one year to comply with cookies law Organisations and businesses that run websites aimed at UK consumers are being given up to 12 months to ‘get their house in order’ before enforcement of the new EU cookies law begins.

So, there’s no need to panic – there’s one year to comply – so the deadline in reality is 25th May 2012 – that’s what to tell any colleagues or clients who ask. But you’ll want to plan, this is the best practical guidance on issues to consider to comply I’ve seen, although it’s all subject to further clarification by the ICO over the year and depending on how others interpret it.

It’s less clear what the implications are for Google Analytics, used by many sites, Silktide speculate on the implications of the cookie privacy law for web analytics and this plugin has been developed which shows one example of what may be required for compliance. Yuk!

In the meantime it’s worth taking a look at the new update to ICO website update for an idea of how compliance may change privacy messages and encourage opt-in. Whoa – will all sites need to look like this!

May 3rd update: on clarification of company action needed

With less than a month to go before the May 25th deadline some are scaremongering with headlines like “Websites face £500k fine for breaching ‘cookie’ law“.

That said, it is worth noting that there is indeed now a higher level of fine specified by the ICO, but this applies to all marketing activities covered by the May 25th update to the Privacy and Electronic Communications Regulations including sending unwanted emails and text.

The purpose of my update is to reassure marketers and site owners that there is now more clarity on the compliance required and it seems certain that in the UK companies will be given considerably longer than the May deadline. I also wanted to point you to the most authoritative sources giving guidance.

I say this following comments made by the person who gives guidance and clarification on the law, namely, Information Commissioner Christopher Graham. Speaking at the UK DMA’s Data Protection Conference earlier this month, the essence of the advice is summarised in these 2 documents from the UK DMA giving guidance on implications and actions to take:

My summary of these is that:

1. There will be a phased implementation meaning that companies will not be fined immediately, so long as they are taking steps to address the new law.

2. It’s hope that browser settings may be used to manage the issue which is clearly going to take some time to say the least, but it seems that some form of consent will be required where cookies aren’t essential to operation of the service.

3. Some forms of cookies for basket, session management and security essential for Ecommerce sites will be exempt. However, it’s still not clear how cookies for analytics will be treated – these affect nearly all sites!

Previous update: The cookie opt-in deadline

In this post we hope to alert all website managers and owners to the rapidly approaching 25th May 2011 deadline to incorporate “cookie opt-in law” into their sites. This deadline is set by EU members in Brussels as part of the “Citizens Rights Directive” 2009/136 (“CRD”) which includes amendments to the E-Commerce Directive (2002/58/EC).

Our update on this law is based on the latest advice from Marketing Law (Osborne-Clarke) and Out-Law (Pinsent Masons) which are the two legal sites we always turn to for UK digital marketing law updates.

What could the cookie opt-in requirement mean?

To gain an idea of what the new e-privacy directive could mean, take a look at the British Airways site and its cookie disclosure policy.
At the very least the new law could require substantial increases in disclosure of tracking to be planned for. At the worst, similar to the BA site it could require opt-in to cookies before going into the site. Could all sites soon have to look like this…?!
BA.com cookie policy

What does “cookie opt-in” mean?

The requirement for new site visitors to opt-in before using a site is a scary one given the widespread use of cookies by most sites today for everything from personalisation to tracking. The implications for ad networks offering remarketing and retargeting are also massive, so why has there been so little coverage of this issue outside the specialist legal sites?!

The wording of the new, revised Article 5 (3) of the Privacy and Electronic Communications Directive was what surprised me:
Member States shall ensure that the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user should only be allowed on condition that the subscriber or user concerned has given his or her consent, having been is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

As Out-Law pointed out, this suggests a requirement for cookie opt-in for new site visitors.

I can envisage the need for splash home pages similar to that on BA.com clearly requiring consent. But what happens when visitors arrive deeper in the site as is common – have the lawmakers considered this? I doubt it!

Will there be exceptions to mandatory cookie opt-in?

So far, so frightening, but Osborne Clarke suggest there may be wiggle room around explicit prior consent.

They note that in para 66 of the preamble to the CRD it states:
Where it is technically possible and effective…the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. and at the end of 5 (3): “prior consent will not be required if the cookie is strictly necessary to deliver a service which has been requested by the user.”

They go on to say that this has been “seized on” by the UK Government in its consultation document as the basis for its preferred approach to implementing Article 5 (3).

The consultation document by the government Department for Business Innovation and Skills (BIS) takes a practical view which I couldn’t have expressed better myself:

The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web.”

The government consultation document goes on to recommend this option:

Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime.

So for now it seems UK site owners can relax, although the final recommendations from the government aren’t yet defined. However, if you operate in other markets there is still cause for concern. Watch this space!

  • http://www.whencanistop.com Alec Cochrane

    Hi Dave,

    This was something that was recently discussed at the London Web Analytics Wednesday where Alan Meneghetti from law firm Clyde and Co presented. His view was that if the information about cookies is in the privacy policy then this should satisfy the law.

    However he also pointed to the information commissioner’s office website as an example of a clear layout. However I personally feel that 400 words in the middle of an 1800 document doesn’t really do credit to the way that the information is going to be used. I suspect that I’m not alone and the real damage to web analytics is going to be done when Firefox, Chrome and IE all instill a third party cookie opt in white list as default on their next browser versions rather than defaulting all third party cookies as opt in.

    Personally I think we need to go further with our disclosures. We shouldn’t confuse people with the technology (because that will change), we should tell them what we are going to do with their data (like they do on the phone systems when you are being recorded).

    Cheers,
    Alec

  • http://formdigital.co.uk Adam Cranfield

    Very useful piece Dave – I have posted this on the the Web Managers group.

  • http://www.smartinsights.com/about-dave-chaffey/ Dave Chaffey

    Hi Alec,

    Thanks for your note. My summary didn’t really touch on the impact on web analytics. But certainly a strict interpretation of the European law would require explicit consent before site usage.

    It looks like common sense (IMO) will prevail in the UK for now, but what’s happening in Germany maybe shows what will happen worldwide in the future?
    http://thenextweb.com/eu/2011/01/13/german-google-analytics-users-could-face-fines-in-privacy-row/

    You’re right that the browsers are likely to increase their default blocking of cookies, especially third party. It seems to be what many users want, so it helps increase installations of their browsers if they have this feature. Fortunately Google Analytics uses first-party cookies so is safe for now?

    With the strength of feeling against tracking amongst consumers suggested by initiatives such as http://donottrack.us/ and media scare stories http://www.nytimes.com/2010/08/30/technology/30adstalk.html I can only see us losing all tracking at some time in the future. Perhaps a micropayment solution to pay users to be tracked is the way it will go?! In the meantime this is what we’re up against – taking from the NYT piece:

    The shoes that Julie Matlin recently saw on Zappos.com were kind of cute, or so she thought. But Ms. Matlin wasn’t ready to buy and left the site.

    Then the shoes started to follow her everywhere she went online. An ad for those very shoes showed up on the blog TechCrunch. It popped up again on several other blogs and on Twitpic. It was as if Zappos had unleashed a persistent salesman who wouldn’t take no for an answer.

    “For days or weeks, every site I went to seemed to be showing me ads for those shoes,” said Ms. Matlin, a mother of two from Montreal. “It is a pretty clever marketing tool. But it’s a little creepy, especially if you don’t know what’s going on.

    You can’t argue with that! Or can you?

    Dave

  • http://www.smartinsights.com/about-dave-chaffey/ Dave Chaffey
  • Pingback: Quora()

  • http://www.tonica.co.uk Mary Butlin

    Great article! I like the idea of a little Cookies in Use icon that could be easily featured on every page on a website – the link could lead to the Privacy section and instructions on adjusting your browser sessions. It means we’re not hiding information from the public and we’re also not halting the browsing experience with a full on opt in page. It might be ideal if you’re trading in multiple markets and needing to adhere to differing laws on privacy.

  • http://www.elisa-dbi.co.uk Rob Jackson

    A key part of Ms Matlin’s quote is the part where she says “especially if you don’t know what’s going on”. I think most users, if properly educated, would be fine with website owners using anonymous (Google Analytics does not collect Personally Identifiable Information) session data to improve their websites.

    I oversaw a University of Lancaster group project last year where the students surveyed internet users of all ages on their attitudes towards tracking and behavioural targeting. Based on news stories they had read about companies like Phorm, initial responses were mostly negative. After being provided with greater depth on how and why websites track user behaviour the majority of users were fine with web analytics tracking.

    Of course, narrow minded scaremongering by newspapers like the daily mail don’t help”

    http://www.dailymail.co.uk/debate/article-1337837/Google-Why-let-creepy-company-spy-emails.html

  • http://talktomestudios.com Rob Forden

    I find it very hard to believe that in the United States cookie regulation will crop up anytime soon. If for no other reason the very high bureaucratic hurdles internet regulation requires, not to mention the complete lack of enforcement of any new regulation. As referenced above all major browsers are defaulting to blocking third party cookies, which should be a death knell for that tracking strategy at least in its current form. Additionally even if we were forced to adopt some sort of disclaimer splash page, don’t you think behaviorally, consumers would just treat it as they do software T&C’s, just click the box and be done with it?

  • http://www.megger.com Nick Hilditch

    For a multi-country site, we will inevitably have to steer in the direction of the strictest regime, else we will have to operate with multiple version of the same site. That means that even if the US legal system does not move in the same direction as Europe, there will be a drift toward the European position.

    The consequences of having less efficient behavioural marketing will inevitably lead to higher marketing costs and consequently higher prices will be inevitable. I suggest that – just as with the direct mail industry – there has been a sad failure by marketers to point out to politicians the benefits to consumers of behavioural web marketing.

    • http://www.smartinsights.com/about-dave-chaffey/ Dave Chaffey

      That’s interesting you’re looking further afield Nick – yes – a “lowest common denominator approach” is often what’s practically required by companies who market internationally – that’s why the BA site is the way it is I guess.

      You’re right about the costs and how marketers should make a stand, but I fear the likes of IAB, WAA won’t be able to withstand the onslaught from media scare stories giving consumers what they want to hear.

  • Pingback: Pedro Newsletter 11.03.2011 « Pragmatic Programmer Issues – pietrowski.info()

  • http://www.dogaltasmarket.com dogal tas

    there has been a sad failure by marketers to point out to politicians the benefits to consumers of behavioural web marketing.

    • http://www.smartinsights.com/about-dave-chaffey/ Dave Chaffey

      I think you’re right, but I’m not sure they could have sold the benefits. Lobbying by business is maybe better in the UK since it looks like implicit opt-in will occur.

      They could/should have acted sooner though right?

  • http://www.mantolama24.com mantolama izolasyon

    If for no other reason the very high bureaucratic hurdles internet regulation requires, not to mention the complete lack of enforcement of any new regulation.

  • http://blog.marketingxd.com/ Pete Austin @marketingXD

    Re: new 2012 deadline.

    Wolf!

    • http://www.smartinsights.com/about-dave-chaffey/ Dave Chaffey

      Pete,

      Others were crying wolf – like Which above saying 500K fines – but not us – trying to keep it practical.

  • http://www.infojuice.co.uk Mark McGee

    Hi Dave,

    Just wondering if the stats shown in the June 23rd update might also reflect those visitors who didn’t actually see the opt-in message in addition to those who chose not to opt-in?

    Thanks

    Mark

  • Pingback: Econsultancy Digital Cream 2011 | 120 Feet()

Get FREE marketing planning templates

Start your Digital Marketing Plan today with our free Basic membership.

  • FREE fast start guides to review your approach
  • FREE digital marketing plan templates
  • FREE alerts on the latest developments

Get FREE marketing planning templates

Start your Digital Marketing Plan today with our free Basic membership.

  • FREE fast start guides to review your approach
  • FREE digital marketing plan templates
  • FREE alerts on the latest developments
Feedback Form
Feedback Form