How are companies complying with the new cookie law?

Our evaluation, recommendations and examples for UK companies

With the new UK “cookie law” now in force, many UK companies will be wondering what they need to do to be within the law. Given the difficulties in interpreting the guidance on this law we thought it would be helpful to create a summary of what the largest companies have done to comply.

If you missed it the ICO issued new, detailed guidance on Friday 25th May, this included a big change with more advice on implied consent. If you haven’t read that, it’s important to “get your head around it”. It’s actually good news since it means explicit opt-in, e.g. through a pop-up isn’t necessary as we thought it might be at one point.

The companies I evaluate here will have the resources to implement the changes and to take the decisions balancing interpretation of legal requirements against problems against a negative impact on user experience, brand and commercial results.

Evaluation of cookie compliance for large UK companies

We have done an evaluation based on the type and format of privacy message and the options for controlling use of cookies. You can then see from the evaluation that the companies that have taken actions to implement the law and may be the best models to follow (most have followed implied consent). We have mainly selected companies from the FTSE 100 covering a range of sectors.

Review of results

“Mixed” is the best way to describe the action taken. No companies seem to have full opt-in consent where the user has to take a pro-active action such as ticking a box in a pop-up before cookies are placed (like on the ICO site). This is positive since it suggests we won’t see a rash of pop-ups on sites and after initial browsing the message will disappear. It also suggests that other companies can use implicit opt-in in line with the latest guidance mentioned at the top of this post.

Many companies have taken no, or limited action which is maybe reassuring for other, smaller companies who have been unwilling or unable to take action based on technological or resource limitation (at SmartInsights we’re in this category and would rate ourselves similar to the companies that get 1/4 compliance.)

Steps to get compliance

1. Minimum (quarter circle)

A. Review use of cookies through an audit, classifying theme as Strictly necessary, Functional, Performance and Advertising (see the BBC or BT as an example)

B. Update privacy message

C. Provide a direct link to “cookie-use” policy from all pages

2. Sufficient? (half-circle)

We have this ambiguous label since with the new guidance on “implicit opt-in” we’re not sure for compliance you need to build complex/expensive opt-out solutions such as those built by the BBC and BT.

At this level you have a prominent panel above the fold with a link to more details which disappears as users click forward (implicit consent – we do recommend this).

3. Compliant for implicit opt-in (three-quarter circle)

As above, but with selection of cookies possible, examples BBC, BT and Burberry.

4. Full opt-in compliance

We haven’t seen any examples of this, other than the ICO site. Have you?

Examples of UK company compliance

Finally, let’s now look at some examples of good practice to learn from from those with more advanced implementations.

Fashion retail – Burberry

Burberry seem to be one of the few retailers to implement compliance with this minimalist approach.

Financial services – Barclays

One of the best implementations in FS? This is a prominent message which disappears after the first page view. A good model for implicit consent – better than the HSBC and First Direct version which is on the home page option and always there currently.

Media – publishing – The Guardian

A similar approach to Burberry

Media / publishing – The BBC

Similar to the Guardian, again disappearing after the first page view with implicit consent.

If you do want to implement opt-out, this is a good model:

Telecoms – BT.com

BT have a less clear, but sophisticated widget offering opt-out

  • http://twitter.com/mchapman mchapman

    There is a general sense from this legislation, isn’t there, that people are being better empowered to complain and it is important to ensure customers know they are being well-served / well-treated (not abused, hassled, over-sold or targeted etc) by cookies on websites.

    What is poor about this legislation is there is no understanding about its commercial impact (which probably is a strong indication about how the Eurozone is in such a mess… those working as EU legislators do not understand commerce).

    There seems to be an unhealthy fear and paranoia of cookies when they generally improve user experience on websites. Just at a time when recessionary winds are picking up strength, the digital industry has to waste much time and resource trying to map a journey through a complicated legal landscape.

    This is not at all helpful in these tough economic times, and I question the value of the ICO and EU here where they are affecting our ability to be financially successful – and even survive for some companies.

    I still believe improved cookie management via browsers is a better solution than requiring websites to develop thousands of individual, separate cookie consent mechanisms. Mad bureaucratic interference in eCommerce. Anyone know what the browser companies are doing on this at present?

    • http://www.smartinsights.com/ Dave Chaffey

      I wouldn’t say they’re being empowered to complain – it’s intended to increase their awareness of how they’re data is used – which isn’t a bad thing by me.

      I think the ICO, particularly with their new guidance which permits “implicit opt-in” have done a good job of listening to company feedback that this could be anti-commercial/competitive and common-sense has prevailed.

      I think the problem with the cookie law is that often the cookies, e.g. a session cookie hold no Personal info so most people wouldn’t have a problem with this. The new guidance from the ICO talks about “how intrusive a cookie is” and suggests session cookies aren’t a problem.

      You’re right cookie management is a sufficient solution – I would advise companies against investing in solutions as BBC, Burberry, Barclays have implemented – it’s too costly and unnecessary.

      It’s being handled through the W3C, but not sure what the latest is:
      http://www.w3.org/QA/2011/06/workshop_tackles_the_hard_prob.html

      Dave

      • http://twitter.com/mchapman mchapman

        With all this publicity and coverage, everyone should now be asking “How is my data being handled on this website and by this company / charity / government”? Good questions to ask – but not simple to answer.

        Will they be able to penetrate this complex subject and should laws be used to try to facilitate this? Generously, I would say, the jury is still out on those 2 questions. I don’t think laws should do this; organisations need to work on developing more trust with their customers / taxpayers / browsers.

        Who on earth wants to recommend charities, companies, buy services and products from them, interact with a government etc, that they don’t trust?

    • Frann Leach

      People are so ignorant that this move by government has made some of them turn off cookies in the browser entirely out of sheer panic. Then they wonder why they can’t get email…

  • Pingback: EU Cookie Law – ecommerce sites selling to UK need to do something now

  • Pingback: Ecommerce News Digest: May 2012 | Get Elastic Ecommerce Blog

  • Pete Finnigan

    Hi Dave,

    Is the ICO full opt-in compliant?, i can ignore the cookie header and browse away and not accept the cookies; thats fine as no cookies seem to be set BUT if i do accept i cannot revoke that acceptance (unless i missed it) without clearing the cookies from my browser. I though revoking was part of full compliance.

    The bottom line seems to be that so many solutions have been done by so many companies, each spending clearly a lot of money and each having a different opinion of compliance – partly to be expected as each site is different.

    nice post,

    cheers

    Pete

    • http://www.smartinsights.com/ Dave Chaffey

      Hi Pete,

      You’re right – it wouldn’t be fully compliant in that sense – interesting – many others approach will be based on using Browser settings, so there’s can too.
      I’d still give them a full-circle on my rating through.

      It looks like the latest guidance is “implied consent” so I don’t think they will be investigating themselves…
      You’re right – the cost is high potentially – with Implied Consent I’m not sure it needs to be that high with selective opt-out facilities which is what costs.
      Dave

  • Pingback: Ecommerce News Digest: May 2012 | kukira[dot]us

  • Pingback: Cookie Law one week on…how have UK companies complied | SearchPath Blog

  • http://twitter.com/slw57 Sarah Wynne

    Hi Dave,
    I think if you take a look at the Purple Frog website you will find that it’s 100% compliant, as we have gone for requesting explicit consent. Let us know what you think of our compliance! http://www.purplefrog.co.uk

    • http://www.smartinsights.com/ Dave Chaffey

      Hi Sarah, I like the design of the site and you have good control on cookie opt-out. However, the subtile triangle bottom-left is arguably not prominent enough if you compare to the above-the-fold messaging in many of the examples in this post.

      I doubt you would have problems though.

      BTW I noticed you have Purple Frog Purple Frog » Purple Frog which is a bit strange – better to include your value prop too in title? Repetition – sorry old SEO but trying to be helpful!

      • James

        Hi Dave,

        The triangle always stays above the fold (it locks to the bottom of the window) and hopefully with the automated popup that triggers on every page until acceptance has been granted we should tick all the boxes on what is a horrible topic and cause of great frustration.

        This is the same system used by the Scottish Government and a few other Government agencies and was developed to meet their needs so should be good enough to meet all the criteria :)

        One day before the deadline and they revise their guidance – just to make the mess even messier – especially after many companies have committed money on full compliance grrrrr

        thanks for the comment on the title – WordPress settings need tweaking by the looks of it!

        best wishes

        James

  • Pingback: e-Dialog's Top 10 Don't Miss Marketing Links of the Week | e-Dialog Marketing Blog

  • http://twitter.com/mchapman mchapman

    Have been thinking on how many strands there have been to this issue.

    A key one is the cost and sheer hassle to business and other organisations implementing this law in these very difficult and hard economic times.

    Commercial enterprises are working to generate wealth and pay themselves – as well as pay taxes.

    And then along comes this extra burden.

    The EU and the Government really need to look at their processes; why harm business at this time?

    Another key issue is why was there no attempt to allow the digital industry to self-regulate? Just come along, bang out a law, then threaten everyone everywhere with legal action. Charming.

    To adapt Winston Churchill: “Never has so much been written about something so little of relatively little interest to so many.”

    (Or so we thought… until now :)

Feedback Form
Feedback Form