Websites are getting used to the idea of gaining implied consent for their cookies. Despite initial resistance, compliance is growing - and consumers are noticing who is doing it right. As David Reed discovers, however, that may only be the start of the permission process.
It is now three months since enforcement started of the need to get consent for a cookie to be dropped onto a website visitor’s browser. In that time, something remarkable has happened - ecommerce has not collapsed, nor has a black hole been created in online traffic. Given the doom-laden predictions of many digital marketers before 26th May about the impact consent requirements would have, that is a surprising (and very welcome) turn of events.
Two other things have also happened since then: firstly, consumers are becoming better informed about the existence of cookies, their purpose, and whether they want to accept them or not; secondly, website publishers have started to understand what works best for them in terms of position, wording and consequences of cookie notices.
Both of those are critical if the ultimate goal of the ePrivacy Directive amendment - to ensure consumers fully understand their rights and what is happening to their data online - is to be achieved. They also clarify the role of the Information Commissioner, since an informed consumer is better able to give consent, while best practice by some publishers makes it easier for the ICO to point to and ask, “if they can do it, why aren’t you?”
Getting to best practice does require a careful consideration of how to manage the tension between business goals and legal demands - and this can take time. Barclays Bank started on its journey towards a compliant solution that still supported its commercial goals two years ago, for example, unlike many website owners who appear to have left it until mid-2012 before considering their options.
Could some brands have decided to resist (or are still doing so)? Consider these comments, all taken from an eConsultancy survey carried out in Spring before enforcement began:
Similar opinions have clearly been listened to quite widely in the online world. When KPMG surveyed 55 websites two weeks after enforcement began, it found that only 20% were in compliance. The good news is that this represented a four-fold improvement on the 5% that were compliant before late May.
The bad news is that it places four in five websites on a collision course with that newly-informed consumer. By late June 2012, the ICO had received 169 complaints about sites that were failing to handle cookie consent correctly. That may not seem like a lot, but in the context of data protection complaints generally it is significant and represents a sharp rise over the seven complaints received between May 2011 (when the law actually came into force) and December.
Consumers are now starting to understand what needs to be done and are looking for publishers to fall into line, otherwise they will take their interest and business elsewhere - or even complain. Understanding of best practice is also starting to emerge from within the digital marketing industry and is beginning to spread.
One of the most notable developments is among performance marketing sites. Alongside behavioural advertising, affiliates represented an area of digital marketing that regulators were particularly concerned about. Bad practice by a handful earned this sector a poor reputation which it has been working hard to overcome.
The five-point plan developed by the IAB Affiliate Marketing Council has been part of that recovery process. By creating a working group of a dozen representative companies, conducting a cookies audit across member sites, developing a consumer guide to affiliate marketing, creating standardised wordings and meeting the UK Government as well as web browser developers it has tried to get ahead of the curve.
“That is a work in progress and is evolving,” Kevin Edwards, strategy director at Affiliate Windows told an IDM Members event in June. He pointed out that affiliate agencies sit between traffic generating site publishers and the destination sites, meaning they are not technically responsible for gaining cookie consent. But doing nothing was not an option.
“The biggest area of growth is increasing web traffic through cashback offers, points or voucher codes,” he said. “That taps into the savvy shopper and I would argue that some of those models are well down the line of informed consent because the consumer is aware that they need to be tracked if they want to earn cashback from Quidco, for example.”
A critical aspect of this affiliate activity is the need for persistent cookies and to ensure that consumers do not delete them. Just as the online world was getting used to the idea of gaining implied consent, it discovered that this was not a once-for-all deal.
ComScore published a study in January 2011 which revealed that 26.8% of Internet users in the UK deleted first party cookies after a month, while 35% deleted third party cookies in the same period. Deletion may be done manually, through clearing a cache, as a result of running security software, or as part of privacy management.
What makes this even more troubling for publishers is the proportion of cookies they drop which these deleters accounted for. The quarter of visitors who deleted first-party cookies once per month had been served with 52.1% of all cookies in that period. But there was a group of super-users - making up 5.7% of all users - who deleted cookies four or more times in a month and were served 31.6% of all cookies.
For third party cookies, deletion is even more of a problem. Clearing the cache once per month was carried out by just over one third of users, but they had been served 66.5% of all cookies. Super-users in this group - who made up 14% of observed users - deleted more than four times in a month and had received 56.1% of all third-party cookies.
The implications of this study are clear - the “savvy shopper” being targeted most heavily by publishers is also more likely to delete cookies, potentially multiple times per month. That means each new visit may require a permissioning statement to be served with the same risk of non-acceptance.
Publishers will also discover they have been guilty of inflating their unique visitor numbers by as much as 2.7 times, according to comScore. Where advertising revenues or affiliate traffic are core to the business model, this could prove highly problematic.
Since May, online marketing has been operating under the watchful eye of the UK regulator. While he may have a hit list of just 75 leading sites, consumers can submit complaints about anybody. As understanding grows around what cookies do and how consent should be asked for, the only way forward seems likely to be best practice, rather than resistance.