Well, it was a bit like the Millennium. We expected fireworks, but the year’s grace on the implementation of cookie strategies that was given to UK business ran out on May 26th and the world didn’t come to an end.
A couple of mentions on the TV business news, a few articles in national press and lots of mentions in the trade and business press, but that doesn’t mean it’s over. It’s the law and like it or not, your cookie strategy is supposed to be in place and visible to consumers by now.
The trouble is that none of us is absolutely sure what full compliance is. Multiple interpretations exist, and will probably continue to exist because the technology is moving a lot faster than the regulators’ understanding of it.
But you have to make a start. And in this article, I hope to guide you and give you appropriate links to aid you on your cookie journey.
The Direct Marketing Association UK has issued a 10 point plan on what you should be doing and if you haven’t gone very far (and many businesses haven’t) this is a good place to check where you are on the road to compliance.
The ICO surprised us a bit when the latest guidance came out just before the deadline. “Implied consent” was included – in fact the ICO said “implied consent has always been a reasonable proposition” and “whilst explicit consent might allow for regulatory certainty ... this does not mean that “implied consent” cannot be compliant”. Click here for the ICO’s full guidance.
However “implied consent” does not mean that you can hide behind your privacy or cookie policy without giving “specific and informed” guidance about cookies when a visitor arrives at your website, opens one of your emails, or downloads a mobile app.
Yes, the regulations do apply to email and mobile as well as websites. And whilst I am beginning to see evidence of “implied consent” wording in emails, the mobile task is much harder because of the lack of room you have to explain your cookie policy. For apps it can be conditional, “by downloading this app you are consenting to our terms and conditions”.
(You could, of course, notify your use of cookies as part of the sign up process and only if someone consents do you send marketing messages containing cookies – that can get a bit ugly in terms of processing those permissions, versus your legacy permissions.)
The inclusion of “implied consent” in the ICO final guidance did surprise some commentators. The previous guidance did say that “implied consent” might apply to some types of cookies in certain circumstances, but applying “implied consent” to behavioural targeting I think may be a bridge too far in the context of some publishers’ online strategies.
New terminology has surfaced – “shared understanding” between websites and users. And that’s a good way to look at it in view of the different audiences you may have. Subscribers to a computer title will be more aware and potentially less concerned about the placing of cookies or other devices on a user’s terminal. Subscribers to other titles may need more explanation and the more that “shared understanding” develops the less consumer concern, or so we hope.
What does the law actually say?
Regulation 6 of the Privacy and Electronic Communications Regulations 2003.
A person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless a subscriber or user of terminal equipment:
a. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
b. has given his or her consent.
The ICO says that those setting cookies must:
* tell people that the cookies are there
* explain what the cookies are doing
* obtain their consent to store a cookie on their device
(The word “cookie” doesn’t appear in the regulation and is used here generically to cover any tracking device that stores data or gains access to data on a user’s “terminal device” – which includes for example, computers, laptops, tablets, smart phones, web-enabled TV).
So what do you have to do?
* Tell people the cookies are there.
This should be the first message that people see when they visit your website or receive an email marketing message or text. Each website, even if you have 500 of them, must carry the message, but it need only carry it once to each individual. Having seen the message and bypassed it would be seen to be “implied consent”. I’ve been collecting “opening messages” since May 26th and frankly they are few and far between. It’s time to take this seriously.
What should you say in that message?
Tell them your terms:
Website: We use cookies on this website to improve your browsing experience and by continuing to browse you accept that we are storing cookies locally on your computer or mobile device.
Email: By enabling images or clicking on a link, you agree that you give us your permission to use cookies in this email. Want to know more? See the end of this email and our Cookie Policy.
(You might want to keep the wording short in the header and put more wording in a footer message).
But don’t forget to express the benefits.
So now you are over the first hurdle and you need to direct the user to more information about what cookies you are using and what they do. This you can do in your cookie policy with a link from your opening messages.
* Explain what the cookies are doing.
Yes, it is best practice to define what cookies you are using and what they do; it is no good just saying – we use cookies!
The International Chamber of Commerce UK has issued guidance which helpfully classifies cookies into 4 main groups and their definitions are becoming widely accepted.
1. Strictly necessary cookies – to enable services that users have requested, or that make a website work (for them, not you).
2. Performance cookies – aggregated information about how visitors use a website.
3. Functionality cookies – choices made such as username, language or region, text sizes, and customised pages.
4. Targeting cookies – to deliver relevant advertising (involving third party cookies, which are much more difficult to explain on how to give control to users).
Of course it is more complicated than that, and one size doesn’t fit all, so take a look at the ICC UK Cookie Guide.
Some websites I have seen have gone into enormous detail about cookies they set, and do so in very technical detail which may not be customer friendly.
A simple table of types of cookies is my favourite at the moment: saying what the cookie’s name is, what the cookie does and how it functions, and how long a cookie is set for. Remember to advise that new cookies are being set regularly so individuals should check back regularly. Conversely your developers will be adding cookies, so be sure that you keep your cookie table up to date.
* Obtain their consent to store a cookie on their device (except of course for strictly necessary cookies)
OK, so you have used “implied consent” at the beginning of the customer journey, but you must remember that an individual needs to make informed choices and so the websites that I consider to have followed best practice (I’m not going to say are compliant because we’re still learning what compliance looks like) are providing the customer with the ability to switch off (or on) all but strictly necessary cookies.
Typically this is being delivered via tick boxes which can toggle on or off to give the user control over the cookies that the site uses. It goes without saying that you only need tick boxes for the cookies that you use!
That’s all very well, I hear you say, but that involves a good deal of investment in back-end technology which is expensive and time consuming. That’s true but if you want to avoid the single tick box which can decimate your volumes, if the general rule amongst consumers is that they’d rather say no than yes, then it has to be done.
Email and mobile
The IAB and the DMA have collaborated over some excellent guidance for email and mobile marketing which can be found at here and here.
And the IAB has done some splendid work including a website targeted at educating consumers about cookies which is also worth a visit. You’ll learn a lot from this site not only as a marketer, but as an affiliate, a website designer or as an advertiser.
Can technology help?
The first thing to do is to find out what cookies you have and so an audit is the first thing to do. There are several free programmes if you search online. Some suppliers are developing sophisticated software. No recommendation here, but Truste and Evidon might help those publishers with multiple sites and complex cookie strategies; other services are available and it’s always worth consulting your web, email and mobile suppliers first!
It is recognised that the developing browser technology will aid the user to set their cookie choices, but that’s not an overnight solution, it’ll take years until everyone has upgraded to the latest versions.
So what’s next?
There is concern that the UK is out of step with the rest of Europe. For instance, the Netherlands has apparently adopted a full opt-in consent strategy, but there is little evidence of it on the Dutch sites that I’ve visited. The Netherlands is one of five countries being taken to court by the European Commission for failure to enact the rules. In France the CNIL – the regulator – has indicated that analytics are outside the scope of these regulations which other countries including the UK say not. The CNIL has also indicated that it may need to revise its guidance. And the Article 29 Working Party published an opinion a few days ago analysing the exemptions to the prior opt-in consent requirements for cookies, where they clarify the rules on session and persistent cookies. So we should be aware that guidance may change.
In the UK, the ICO has indicated that we should not expect a raft of enforcement, but that doesn’t mean you can do nothing. The ICO has written to 50 of the largest website publishers in the UK asking what they are doing about cookies and reminding them of their obligations. Whilst I think that £500,000 fines (the maximum) might not be applied, that doesn’t mean that some lower figure won’t.
More importantly, the consumer won’t put up with poor practice and the ICO has provided the consumer with a means of “snitching” on a website, formally named as Report Your Cookie Concerns.
And since the questionnaire remains anonymous and is designed to help the ICO understand users’ concerns, am I being paranoid if I say, watch out for your competitors?
Please note that this article cannot be construed as legal advice.
