Posted on: Thursday 24th of May 2012
May 26 is an important date for UK websites and businesses. As from then, all businesses have to comply with the so-called Cookie law. The essence of this law is that users must be asked for their consent before cookies are used. We’ve wrestled with the practical implications of how to do this and this post sets out our thoughts.
Let’s get the important, but dull, points out of the way. The law is the law and you have to comply. We are neither lawyers nor experts so you shouldn’t assume these thoughts constitute legal advice. The law applies to all electronic devices, not just PCs, laptops, tablets but smartphones as well. It is not only about websites, it is also relevant to marketing communications such as emails too. Note that this article was amended on May 31 on the basis of new advice from the Information Commissioner’s Office – in which implied consent is deemed to be acceptable.
Our overall view is that you can look at the detail or the principles. In this case, the principles of the Directive (the European law) really set out a positive, new information contract between companies and consumers and the basis of this contract is one of trust between the two parties.
At its core, the Cookie law requires transparency about what personal information is collected and shared and a degree of control about that process. If you don’t like the idea that your personal information might be stored, used and passed on to others, you can opt out. As one commentator (at DataGuidance) put it, “to comply with the law, marketers need to provide clear, transparent information to consumers so that they can make an informed choice to accept cookies from websites and digital communications”.
The challenge to business (and, of course, we are one of those) is two-fold. First, that it seems by allowing customers/consumers/browsers/readers to opt out using their browser setting isn’t sufficient. Second, that cookies have been around for so long that they are part and parcel of the overall experience of using a website – for example, I would quite like to be able to return to a site to know that the weather I am interested in is my local weather (set purely based on location preferences, not my personal details).
1. Session cookies – typically used to deliver a better ‘shopping’ experience, they expire within a set time (perhaps when you leave the site). These are described as essential cookies and don’t require user consent under the law.
2. Tracking cookies – typically used by websites (and in company newsletters etc) that allow the sender to work out just what is working on their communications and websites. Examples include website analytics or pixels in newsletters to see if they are opened.
3. Third-party cookies – typically used to track users across sites and to deliver integrated content (for example, ads relevant to what is being viewed).
The problem for all companies is that each one of these cookies can be both benign and considered as providing an opportunity for mis-use. For some people, a site remembering that you’ve visited before is a good thing, for others, they are worried they are being tracked. For some, ads that are related to content are good, for others, they are worried that they are being targetted. For some, clicking on a link to Facebook is a time-saver, for others, there is a concern that doing so allows Facebook to store that process.
As a result, the implication for business is simple – give the customer the choice of how they want to deal with you. Give them the options. A trusted relationship based on what information is stored and shared will deliver a far better long term outcome.
The longer term way forward seems to be via a more sophisticated approach – giving users more granular control over what they get. There is a parallel here with email marketing. When once a corporate round-up newsletter might have been the right approach, now people want content related to their specific interest, perhaps about sport but not gardening.
In this case it is about allowing the customer to set preferences: yes, I want cookies so I can decide what content I see and so that I can fill in forms; but no, I don’t want to have my details passed on to any third party.
It will be very easy for businesses to bundle lots of different functionalities under bland wordings such as ‘help improve users’ experience of the site’ which could easily include, or not include, things like behavioural targeting. It is important to be transparent about core bits of functionality. For example, on BT’s site, the company lists a number of functions such as ‘allows you to share pages with social networks such as Facebook’, ‘allows you to comment on blogs’, and to ‘send information to other websites so that advertising is more relevant to you’. (Unfortunately, it then bundles choices, for example, if you want to share pages with social networks you have to accept behavioural targeting too. This is more like the pretence of choice than real choice).
This approach will lead to a step-change in the transparency of website owners about what information is collected and passed on; and certainly threatens advertising-based business models. But if creating a preference engine seems a radical change, perhaps it is worth reflecting that estimates for the numbers of people who have “do not track” installed in Firefox browsers are now approaching 10% (and it is only a year since this feature was introduced into Firefox). Of course, for any site that has a reliance on advertising the rise in ‘do not track’ is a major threat but the fault lines run considerably deeper – “do I trust a site with my information?” needs to be turned on its head. You can trust us because….