Eight months and counting until the period of “soft enforcement” for the new cookie regulations expires. Current evidence suggests that most website owners are far from ready to comply.
If you’ve managed to miss all the fuss so far, the story goes like this. The Privacy and Electronic Communications (Amendment) Regulations 2011 came into force on 26 May 2011. They introduced a requirement for informed consent in order to place anything but a “strictly necessary” cookie on a user’s device.
The original target of the legislation was third-party cookies and tracking devices but, sadly, all cookies are in scope. Clearly embarrassed by the chaos this would cause, the Government and the Information Commissioner agreed a 12-month “grace period” to allow businesses to develop technical solutions for their sites.
Looking around the web, it’s by no means obvious that brands are making the effort the ICO is expecting. Not surprisingly, there is very little appetite for the “full-on” consent messages which the regulators favour. Stef Elliott from Six Serving Men has been helping some website owners to address the cookie conundrum. The first step is to conduct an audit of cookies on your sites. But even that can be difficult, especially if you allow third-party advertisers to place cookies.
To illustrate the scale of the problem, Elliott monitored eight popular sites and found 347 cookies had been added by a total of 73 different companies. He sums up the challenge: “If companies don’t start soon, then the probability of being compliant come May 2012 - regardless of ICO guidance - is very unlikely. Many website owners do not have an understanding of what websites they are responsible for or what cookies are being set on them. Few companies have a defined policy on third-party cookies or apply it in commercial agreements”.
Jenny Moseley of Opt-4 agrees: “For big groups of companies the sheer scale of the problem is an issue - there may be multiple developers adding content (and cookies) to multiple sites, quickly invalidating a previous audit.” Understandably, advertisers are reticent to collect active consent, knowing that this will lead to a massive drop in trackability. This is also an issue for the website owners whose revenue will often be dependent on measurement from cookies.
So can we expect a magic bullet to be developed in time for the 2012 deadline? The best hope is success in discussions with browser manufacturers who are being encouraged to collect meaningful consent through enhanced settings. Meanwhile, the European Advertising Standards Alliance is addressing online behavioural advertising (OBA) and investigating a standard icon to identify all served ads. If the icon is accepted, users will be able to refuse OBA as it appears.
There is less hope that the issues presented by cookies on mobile devices will be solved in time. The lack of commonality between smartphone operating systems and browser access software means there is no “cookie cutter” solution here. For website operators who are just embarking on the cookie journey, there is advice from the ICO. (Although even Commissioner Chris Graham admits, “this advice is very much a work in progress and doesn’t yet provide all of the answers.”)
More recently, DMA guidance notes have emerged giving practical steps towards compliance and encouraging brands to educate users about the benefits of cookies.
Whether the answer is education, old fashioned persuasion or technical development, website owners can expect a busy eight months.