By Duncan Parry

Last year I wrote about the UK Information Commissioner Office’s efforts to enact the EU ePrivacy Directive, and the “year’s grace” granted to brands to help them comply.

May 26^th, 2012 is Cookie Day – the day the grace period ends. Whilst the ICO isn’t going to start breaking down doors and issuing fines the day after the grace period ends, brands need to make sure they have taken steps to comply – and continue to do so.

[Read more →]

We’ve previously covered the EU ePrivacy Directive and resulting law that comes into force today (May 26th) and provided our advice on complying with it;  now we’ve got some good news for brands worrying about this topic: the Head of the ICO has stated that they will not be enforcing the law for one year to give brands time – and to allow conversations with browser manufactures to take place.

We previously covered how current browser settings didn’t offer consumers the level of control the law would require, and how businesses needed to be aware of the steps they need to take to work towards compliance. Here are the quotes from the Head of the ICO:

“It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups, and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them.”

Brand Republic’s coverage goes on to state: “He added that although the Government is not expecting the ICO to enforce the rule on cookies straight away, “this does not let everyone off the hook” and those which do not take action will be taken into account when it enforces the law….Although it will not be taking enforcement action against business until technical solutions are developed at browser level to meet the requirements on using cookies, in a year’ time, it is willing to use the ability to impose civil monetary penalties of up to £500,000 for “serious breach” of the privacy and electronic communications regulation.”

Our advice: business still need to start taking steps to comply as suggested here – and the Head of the ICO is implementing a solution similar to the “accordion” units we suggested on their website.

We blogged last week about the EU Directive on ePrivacy – Cookies and The EU Directive: Don’t Panic and  Cookies and The EU Directive: What Brands Need To Do

The Information Commissioners Office has now (with less than 30 days to go) published some guidelines. They state some important points:

• The Directive applies to mobile devices and applications, as well as  “normal” websites; earlier EU/ UK government documents didn’t always explicitly state this, but it was widely assumed
• That the Directive applies to: “how you use cookies and similar technologies for storing information on a user’s equipment” which means future developments like Connected TVs will be covered by this
• That Flash cookies (i.e. Locally Stored Objects) are covered in case of any doubt
• Acknowledges (see our earlier posts) that browsers do not currently have the functionality to a) categorise cookies by purpose and b) offer consumers an easy way to control cookies by these categories (and therefore purpose)
• States that browser settings are currently not therefore suitable to “rely on” for getting consent from consumers, despite the Directive mentioning them
• That adding consent clauses to site Terms and Conditions is acceptable, but consumers have to be alerted to this change – they must know about it to therefore give consent
• That cookies set as a result of choosing to use a particular site feature also require consent (slightly contradicting earlier suggestions that any cookies required for site functionality were exempt). To be explicit: only cookies that are “strictly necessary” are exempt – e.g. a cookie that enables a shopping basket to work
• Further examples of how to gain consent for particular types of cookies might be issued in future by the ICO

Translating the ICO Guidance Into Action

So what do brands actually need to do? Here are our suggestions, replacing our earlier post on the topic – but of course, we also recommend checking with in-house lawyers, and keeping an eye on the ICO site and industry press. As we’ve commented before, the 25th is just the start.

1: Audit your cookies and tags

The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.

We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being  developed with privacy issues in mind. Please email your contact for more info.

It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.

2: Categorise your cookies and tags

As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:

“Cookies necessary for the provision of service: In this case, you may continue to use cookies but you should explain to consumers why you are using them. For example, tell consumers who use an online banking service that cookies are there for security purposes and that they cannot use the service without them.

Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.

Helpful non-intrusive cookies: Cookies which fall into this category would include cookies which track anonymously how visitors move through your organisation’s web pages. You will need to get consent for the use of such cookies in your privacy policy.

Obsolete cookies: There is no point in asking for consumers’ consent to the use of cookies if they are irrelevant. The audit provides a good opportunity to remove the use of such cookies from your website and will ensure compliance with the requirement in the Data Protection Act 1998 that personal data should not be kept for longer than is necessary.”

The ICO advice builds on this, and makes clear that cookies should be obsessed for how intrusive they are, and suggests one way to do this is to imagine them on a sliding scale – including 3rd party cookies.

3: Update Privacy Policies and Site Terms and Conditions

We strongly suggest brands add text to the existing privacy policy pages linked to from the site footer, or via a new footer link “Cookies” depending on in-house style. This should cover the different types of cookie as categorised above and clearly specify what they are used for and link to any 3^rd party information as relevant- the ICO documents states: “You must think also about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choose about what they will allow.” Remember that you should also provide links to any opt-out mechanisms that exist, too.

4. Decide how to tell consumers – and plan site changes

The ICO have (finally) been clear – brands need to tell consumers that they are using cookies and alert them to any update to Privacy Policies or site Terms and Conditions after the 25^th of May, including linking to information about the policies of third party cookies.

The ICO document discusses two options for informing consumers:

Splash pages or pop-ups which the ICO discount as possibly irritating, and they seem to miss that many browsers block most pop-ups as standard, anyway.

Text in the footer or header which highlights/scrolls when a cookie needs to be set – this could be a good option, or incredibly ugly – and the ICO seem to have missed that most consumers rarely see the footer of a site, as it’s below the fold.

Sites also need to make clear if any site functionality drops a cookie – e.g. ticking a “remember me” box when logging in.

This area is challenging – brands will need to alert consumers without scaring them, or ruining the aesthetic of their websites. No doubt we’ll see some good and some terrible attempts at this in the comings weeks; our initial suggestions are:

Consider a header “accordion”

This is something Amazon already do well – if you visit the.com site from the UK, a content “accordion” suggests you visit the .co.uk; Yahoo! do the same. It’s not hard to imagine these adapted to state something like: “This website uses cookies; under new EU law, we need your consent to use them – please click here” linked to the relevant information / opt out to gain consent (or not). Obviously this needs legal sign-off; but the mechanism is worth considering.

This could be set to only appear on first visit to the site after the 25^th (using a cookie, ironically) and then re-enabled for subsequent changes. This of course only applies if the user doesn’t need to give consent on every visit – but if that becomes requried, the industry is going to have wider issues to worry about, anyway.

The current usage of this technology by Amazon and Yahoo! is shown below:

Add text to functionality options

Where ever a site user takes action (click, ticks a box etc.) and enables site functionality that drops a cookie, add text telling them – e.g. “By ticking “remember me” you will set a cookie on your computer. Read more here” (linked to Ts and Cs/Privacy Policy as relevant). This of couse won’t be the easiest thing to integrate into site designs – another option might be a small piece of text “Uses Cookies – Hover for Info” which uses a hover-over tool tip to provide info and a link.

4: Monitor the Press

This will be the most important thing after the 25^th May – as further DCMS/ICO guidelines may be published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.

We’ll post further posts and update this one as relevant.

UPDATE: we’ve posted a revised set of steps following the ICO’s guidance notes here – please read these instead.

In part one we outlined the EU Directive affecting cookies and some of the controversy and interpretations surrounding it; below we discuss the practical steps we suggest brands should take before the 25th May, drawn from our own reading and briefing notes from the IAB UK, DMA, IPA and other sources:

1: Audit your cookies and tags

The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.

We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being  developed with privacy issues in mind. Please email your contact for more info.

It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.

2: Categorise your cookies and tags

As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:

“Cookies necessary for the provision of service: In this case, you may continue to use cookies but you should explain to consumers why you are using them. For example, tell consumers who use an online banking service that cookies are there for security purposes and that they cannot use the service without them.

Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.

Helpful non-intrusive cookies: Cookies which fall into this category would include cookies which track anonymously how visitors move through your organisation’s web pages. You will need to get consent for the use of such cookies in your privacy policy.

Obsolete cookies: There is no point in asking for consumers’ consent to the use of cookies if they are irrelevant. The audit provides a good opportunity to remove the use of such cookies from your website and will ensure compliance with the requirement in the Data Protection Act 1998 that personal data should not be kept for longer than is necessary.”

3: Update Privacy Policies and Consider Site Ts and Cs

Until the full DCMS guidelines are published (sometime after the 25th May – see part one), knowing exactly how the DCMS and ICO will require websites to gain consent for dropping cookies is impossible. At the very least, we strongly suggest brands add text to the existing privacy policy pages linked to from the site footer, or via a new footer link “Cookies” depending on in-house style. This should cover the different types of cookie as categorised above.

We also strongly suggest talking to in-house lawyers at this stage, but especially on the point of consent. It may be that site Terms and Conditions will become the place to request consent in the DCMS guidelines. The theory is that by using the site the visitor accepts the site Ts and Cs (a standard mechanism now) and the Ts and Cs can be amended to include giving consent as a result of using the site. That may be a change worth making sooner rather than later.

4: Monitor the Press

This will be the most important thing after the 25^th May – as detailed DCMS/ICO guidelines are published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.

We’ll add further blog posts as this develops.

UPDATE 6/5: Some government guidelines might be published before the 25th according to some sources; however how much time brands will then have to act is unclear; we still suggest following the steps above.

In 2002 the EU passed the Directive on Privacy and Electronic Communications covering the “right to privacy in the electronic communication sector” and in 2009 issued a revised ePrivacy Directive as part of a wider piece of legislation comprising a total of five Directives – the full (bland) EU text can be found here.

Fast forward to 2011, and on May 25th the five Directives are required to become national law across the EU – including the section relating to cookies. This has led to a lot of press coverage in the mainstream and digital industry press, with dire predictions of the death of web analytics, digital marketing, behavioural marketing and even sophisticated websites themselves.

This is nonsense – here at Steak we want to be very clear about that. To borrow a phrase from a well-known British sitcom – “Don’t panic!”.

As noted by the IAB UK in their briefing note to members, the ICO unfortunately fuelled this atmosphere with a press release entitled “’UK businesses must wake up’ to new EU law on cookies, Information Commissioner warns” despite the body of their release acknowledging the work the IAB and other industry groups have been doing to work with the ICO to turn theory into practical guidelines for business – work that will continue past the 25^th of May.

Further confusion was created when The Head of the ICO used the phrase ”explicit consent” in a Radio 4 Today Show interview: the IAB have subsequently received confirmation from the ICO that he was wrong to use this language – brands do not need to start asking consumers explicitly every time a cookie is dropped on their device.

The 25^th is not D-Day for Cookies

The DCMS (Department for Culture, Media and Sport) have been quite frank: the technical guidelines that lay out how brands should actually implement the directive into practical steps on their websites will not be complete for the 25^th May.

In addition, the Information Commissioner Christopher Graham said: “I cannot bark at the industry at the moment because I have not got the regulations.”

He did however add “My message is that this is not your ‘get out of jail free’ card” and continued to state that complaints would be judged against what brands had done to prepare for the 25^th.

The reality is that the 25^th May is not D-Day for cookies: rather it’s a milestone in a longer process that will result in guidelines from the DCMS that brands will need to follow; but they are expected to take some steps beforehand. Nobody in government has clarified exactly what they are – brands have been left to make their own interpretations.

The Browser Will Be Key?

Something that was missed in some of the early coverage of the 25th May was the preamble to the Directive. The IAB Europe stated in November 2009 that:

“For cookies, the legislation’s preamble specifically says that the control settings in a web browser such as Firefox, Internet Explorer, Chrome, Opera or Safari are sufficient to comply with the consent requirement in the legislation.”

The implication the IAB Europe was drawing in 2009 was clear: consumers are consenting to cookies by enabling them in their browser (and have always been able to block them overall or for individual sites, although this is time consuming not easy for the non-technical). It should be noted that some law blogs have questioned this interpretation, as the preamble was originally a part of a draft of the Directive and was rejected; and preambles have in the past been given less legal importance than the actual Directives themselves.

Thinking around browser settings has advanced since 2009, with the ICO and DCMS “pursuing” enhanced browser settings which “which will give website visitors more information as to how the website uses cookies. This will also give people understandable choices regarding any cookies being placed on their computers” according to the UK DMA (Direct Marketing Association). The DCMS guidelines published on the 20^th of April support this approach – it’s important to note that, overall, consent via browser settings is the mechanism supported by the UK government.

No browser updates have been made that introduce easier-to-use functionality for cookie control, nor has any browser manufacturer clearly stated they will do so specifically because of the Directive for the 25^th of May. It remains to be seen if the aspirations of UK government bodies will become reality with the global companies involved; and other EU governments have taken harsher stances – as Lewis Silkin note, the UK may face EU legal action in future.

Not All Cookies Are Born Equal

One significant point to note is that the Directive allows for the use of cookies in a way that makes sites function on an opt-out basis. To quote the DMA again: “This will mean website owners will not need consent from the user to place cookies on their computers where the use of the cookies is strictly necessary for a service provided by the website owner at the request of the user. This will cover, for example, the use of cookies in shopping baskets on e-commerce websites and security cookies on online banking websites.”

So brands do not need to worry that they will need to significantly re-engineer their online functionality as a result of the Directive and subsequent DCMS guidelines.

Behavioural Advertising and Cookies

Behavioural advertising will attract a lot of attention with regards to cookies and the Directive – there’s been plenty of previous coverage around the privacy implications. The IAB and industry bodies have been working directly with Brussels on this, and the EU has broadly supported the industry’s approach, including the consumer education websites linked to at the bottom of this article as well as an easily recognisable Internet icon, privacy policy notices, a single consumer control page, and a self-regulatory compliance and enforcement mechanism. This approach is still under development.

In part two of this blog post, we layout the steps Steak and industry bodies suggest brands need to take before May 25^th. UPDATE 16/5: we’ve posted a revised set of steps here following the ICO’s publication of guidelines.

UPDATE 6/5: Some government guidelines might be published before the 25th according to some sources; however how much time brands will then have to act is unclear; we still suggest following the steps in our second blog post.

Useful Links

ICO: Confidentiality of Communications Guide (Cookies)

DMA Newsletter Guidance on Cookies

Lewis Silkin on the DCMS and Cookies

All About Cookies from the IAB

Your Online Choices: IAB Guide to Behavioural and Cookies for Consumers