Our evaluation, recommendations and examples for UK companies
With the new UK “cookie law” now in force, many UK companies will be wondering what they need to do to be within the law. Given the difficulties in interpreting the guidance on this law we thought it would be helpful to create a summary of what the largest companies have done to comply.
If you missed it the ICO issued new, detailed guidance on Friday 25th May, this included a big change with more advice on implied consent. If you haven't read that, it's important to "get your head around it". It's actually good news since it means explicit opt-in, e.g. through a pop-up isn't necessary as we thought it might be at one point.
The companies I evaluate here will have the resources to implement the changes and to take the decisions balancing interpretation of legal requirements against problems against a negative impact on user experience, brand and commercial results.
Evaluation of cookie compliance for large UK companies
Review of results
“Mixed” is the best way to describe the action taken. No companies seem to have full opt-in consent where the user has to take a pro-active action such as ticking a box in a pop-up before cookies are placed (like on the ICO site). This is positive since it suggests we won’t see a rash of pop-ups on sites and after initial browsing the message will disappear. It also suggests that other companies can use implicit opt-in in line with the latest guidance mentioned at the top of this post.
Many companies have taken no, or limited action which is maybe reassuring for other, smaller companies who have been unwilling or unable to take action based on technological or resource limitation (at SmartInsights we’re in this category and would rate ourselves similar to the companies that get 1/4 compliance.)
Steps to get compliance
1. Minimum (quarter circle)
B. Update privacy message
C. Provide a direct link to “cookie-use” policy from all pages
2. Sufficient? (half-circle)
We have this ambiguous label since with the new guidance on “implicit opt-in” we’re not sure for compliance you need to build complex/expensive opt-out solutions such as those built by the BBC and BT.
At this level you have a prominent panel above the fold with a link to more details which disappears as users click forward (implicit consent - we do recommend this).
3. Compliant for implicit opt-in (three-quarter circle)
As above, but with selection of cookies possible, examples BBC, BT and Burberry.
4. Full opt-in compliance
We haven’t seen any examples of this, other than the ICO site. Have you?
Examples of UK company compliance
Finally, let’s now look at some examples of good practice to learn from from those with more advanced implementations.
Fashion retail - Burberry
Burberry seem to be one of the few retailers to implement compliance with this minimalist approach.
Financial services - Barclays
One of the best implementations in FS? This is a prominent message which disappears after the first page view. A good model for implicit consent - better than the HSBC and First Direct version which is on the home page option and always there currently.
Media - publishing - The Guardian
A similar approach to Burberry
Media / publishing - The BBC
Similar to the Guardian, again disappearing after the first page view with implicit consent.
If you do want to implement opt-out, this is a good model:
Telecoms - BT.com
BT have a less clear, but sophisticated widget offering opt-out