Since the last privacy ruling in 2003 the key change is:
- OLD : You must provide the option for users to opt out of cookies being stored on their device, changes to
- NEW : You must obtain consent for cookies to be stored on a users’ of subscribers device
It is interesting to note that the original ruling has been in place for over 8 years yet almost no site actually complied with this ruling. The ICO and EU have not provided specific processes for companies to follow, nor have they really provided much in the way of solid guidance.
What areas are going to be affected?
- Analytics, conversion and performance reporting
- Function of the web-site
- Split testing
Not all cookies will require explicit consent.
- A cookie to remember goods and services for the purposes of “checking out”, ala e-commerce.
- A cookie that is used as part of the 7th Data Protection principle which states “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
- Cookies that speed the loading of the page up by distributing the workload amongst a number of web-servers.
It should be noted that there is very specific reference to “Cookies used to recognise a user and give them tailored content”. This is NOT a permitted exception.
The initial position is that everyone must be 100% compliant by May 25th 2012. This has, however, softened over time with the recent statement “There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there” coming out of the ICO
A whole industry is springing up around this date and most (all?) are using a fear/uncertainty/doubt close that entails a lot of scaremongering. Ignore most of it. With 4 months to go some are scaremongering with headlines like “Websites face £500k fine for breaching ‘cookie’ law“.
It is worth noting that there are larger fines available to the ICO, but this applies to all outbound marketing activities covered by the revised Privacy and Electronic Communications Regulations and that definitely effects other activities covered by most organisations in such areas as unwanted emails and text.
Be also aware that some sites who initially (over)reacted to the new privacy rules have now softened their stance, presumably as it was having such an adverse affect on business.
It is also worth noting that hosting and operating outside of the EU won’t get round the problem if you want to supply goods and services into the UK (wow, that sounds like a minefield!). And finally, there are some differences in how this will apply in different EU states but the difference are far less than the similarities.
Effect on third-party systems (reporting and analytics, mostly)
It is also to be noted that the only site (of note) using the explicit system is the ICO site and they have seen a dramatic drop in the number of recorded visitors to the site. This drop has come about as less than 9% of visitors agree to the policy.
This is not to say that the overall traffic has fallen, far from it. Some reports suggest that the traffic to the ICO has tripled since the announcement.
This is, I believe, an issue that the various analytics and reporting providers should be providing a solution to now. We are already starting to see the effects of privacy as Google now scrambles around 30% of search terms, making them invisible to the web-site and therefore analytics and reporting.
However, for some, the user journey, mapping and conversion requires a way to recognise visitors and this is mostly provided via a cookie. It doesn’t have to but many folks are seduced by the allure of recording every (?) customer journey. Not really sure why they need to record every person’s journey, a 10% sample should probably do the trick nicely.
Effect on first-party systems
I would suggest the following should not directly be affected:
- Any system that can conclusively show it need cookies to provide data security, this should include login systems and services that store personal information.
- Transaction-based applications that require the use of a cookie to store data in between stages, much like e-commerce or online booking. A system that would be rendered inoperable by the absence of cookies.
Cookies are typically bad:
- in profiles to recognise different users
- in testing different content to different users
- to pre-popolute fields on the site based on previously entered information
- in remembering logins into secure systems (including forums)
- in taster-type applications that show user-journey specific content
- in sales stages display applications
- country selectors
So what now?
So there is not a threat of legal action if you are following the advice to achieve compliance. Interpreting the guidance, this suggests that by May you should have:
- Implemented or be working on implementing a method of offering opt-in to cookies.
The first two items are pretty straightforward but the last one is more troublesome.
This also gives you the opportunity to test some of the solutions in a conventional A/B test environment, whilst you can. This is different to normal testing where we are looking for a (confidence probable) winner but a test to explicitly measure the drop in conversion rates.
However, if the press reaction to the EU Policy is good then there is an argument that overt cookie compliance or overly public displays of privacy (sound odd, I know) could actually increase the effectiveness of the web-site – but that a subject for another day.