Close ☰
Menu ☰

It is not about cookies but trust

Posted on: Thursday 24th of May 2012

May 26 is an important date for UK websites and businesses. As from then, all businesses have to comply with the so-called Cookie law. The essence of this law is that users must be asked for their consent before cookies are used. We’ve wrestled with the practical implications of how to do this and this post sets out our thoughts.

Let’s get the important, but dull, points out of the way. The law is the law and you have to comply. We are neither lawyers nor experts so you shouldn’t assume these thoughts constitute legal advice. The law applies to all electronic devices, not just PCs, laptops, tablets but smartphones as well. It is not only about websites, it is also relevant to marketing communications such as emails too. Note that this article was amended on May 31 on the basis of new advice from the Information Commissioner’s Office – in which implied consent is deemed to be acceptable.

Our overall view is that you can look at the detail or the principles. In this case, the principles of the Directive (the European law) really set out a positive, new information contract between companies and consumers and the basis of this contract is one of trust between the two parties.

At its core, the Cookie law requires transparency about what personal information is collected and shared and a degree of control about that process. If you don’t like the idea that your personal information might be stored, used and passed on to others, you can opt out. As one commentator (at DataGuidance) put it, “to comply with the law, marketers need to provide clear, transparent information to consumers so that they can make an informed choice to accept cookies from websites and digital communications”.

The challenge to business (and, of course, we are one of those) is two-fold. First, that it seems by allowing customers/consumers/browsers/readers to opt out using their browser setting isn’t sufficient. Second, that cookies have been around for so long that they are part and parcel of the overall experience of using a website – for example, I would quite like to be able to return to a site to know that the weather I am interested in is my local weather (set purely based on location preferences, not my personal details).

Let’s deal with the second issue, first. The advice we would give is that you should state on your cookies policy (or privacy policy) what cookies are used, how long they are kept for and whether the information goes to third parties. There is a real danger of making this complicated but, in our view, there are three types of cookie:

1. Session cookies – typically used to deliver a better ‘shopping’ experience, they expire within a set time (perhaps when you leave the site). These are described as essential cookies and don’t require user consent under the law.

2. Tracking cookies – typically used by websites (and in company newsletters etc) that allow the sender to work out just what is working on their communications and websites. Examples include website analytics or pixels in newsletters to see if they are opened.

3. Third-party cookies – typically used to track users across sites and to deliver integrated content (for example, ads relevant to what is being viewed).

The problem for all companies is that each one of these cookies can be both benign and considered as providing an opportunity for mis-use. For some people, a site remembering that you’ve visited before is a good thing, for others, they are worried they are being tracked. For some, ads that are related to content are good, for others, they are worried that they are being targetted. For some, clicking on a link to Facebook is a time-saver, for others, there is a concern that doing so allows Facebook to store that process.

As ever, the legislation is open to gaming. For example, sites do not have to ask permission to use cookies that are ‘strictly necessary’ for the functioning of the service. But what do you include, and exclude, from this? Are cookies used for analytics ‘strictly necessary’ (note that the latest advice seems to be that implied consent makes them ok)? And how long do they need to last – for just one session, or for 100 years? (Again, it’s hard to see how a ‘permanent’, 100-year cookie could be strictly necessary).

As a result, the implication for business is simple – give the customer the choice of how they want to deal with you. Give them the options. A trusted relationship based on what information is stored and shared will deliver a far better long term outcome.

Which brings us back to the first point highlighted above… how do you best give someone the choice about opting out? The problem here is rather circular. On the first visit the customer sees up a pop-up or other notice which will say: “our site uses cookies to make your browsing more efficient (plus a link to an explanation)”. The user will then give the option to accept cookies. The problem comes if the user doesn’t want to accept cookies – not only will that be annoying (to both the business and the person) but it genuinely might mean that your site doesn’t work properly. You can’t get rid of the notice because to do so means that the user will have had to accept a cookie! Although they say that they should not be held up as a role model, the Information Commissioner’s Office (ICO) website has exactly this problem. Its banner has only one check box – I want to opt out of cookies.

At the end of May 2012, the ICO’s new advice implies that as long as you have told people about cookies, the user makes an informed choice about whether to accept them. Which, being polite, is pragmatic but certainly opens the door to ‘gaming’ – “we use cookies to make your website experience better”.

The longer term way forward seems to be via a more sophisticated approach – giving users more granular control over what they get. There is a parallel here with email marketing. When once a corporate round-up newsletter might have been the right approach, now people want content related to their specific interest, perhaps about sport but not gardening.

In this case it is about allowing the customer to set preferences: yes, I want cookies so I can decide what content I see and so that I can fill in forms; but no, I don’t want to have my details passed on to any third party.

It will be very easy for businesses to bundle lots of different functionalities under bland wordings such as ‘help improve users’ experience of the site’ which could easily include, or not include, things like behavioural targeting. It is important to be transparent about core bits of functionality. For example, on BT’s site, the company lists a number of functions such as ‘allows you to share pages with social networks such as Facebook’, ‘allows you to comment on blogs’, and to ‘send information to other websites so that advertising is more relevant to you’. (Unfortunately, it then bundles choices, for example, if you want to share pages with social networks you have to accept behavioural targeting too. This is more like the pretence of choice than real choice).

This approach will lead to a step-change in the transparency of website owners about what information is collected and passed on; and certainly threatens advertising-based business models. But if creating a preference engine seems a radical change, perhaps it is worth reflecting that estimates for the numbers of people who have “do not track” installed in Firefox browsers are now approaching 10% (and it is only a year since this feature was introduced into Firefox). Of course, for any site that has a reliance on advertising the rise in ‘do not track’ is a major threat but the fault lines run considerably deeper – “do I trust a site with my information?” needs to be turned on its head. You can trust us because….

PS  Our current privacy policy is here.