By now most web site publishers ought to have worked out how to get consent from visitors. Instead, many may be thinking of ignoring the new rules as part of a growing resistance movement, discovers David Reed.
Schadenfreude is the only way to describe it. The German word means delight in another’s misfortune and it is what most people working in web analytics and many others across the data industry must have felt in late May last year. That is when the Information Commissioner’s Office followed its own guidance on how to comply with the “Cookies Law” and put a pop-up onto its web site requesting consent.
As is now well known, from 26th May 2011, traffic on the site fell by 80 to 90 per cent as visitors saw the request and went elsewhere. At that stage in the new compliance era, you really had to want to find out about data protection in order to say yes to the ICO’s request.
Nine months have passed since then and much has been discussed about the meaning of the regulations and whether they always require an opt-in. Yet as any regular web user will know, relatively few sites have followed suit and push a consent request to visitors. Even the ICO has changed its approach and now has moved the issue into a detailed table of what cookies are used and how to stop them on its Privacy Notice page.
Mark Patron, chief executive of RedEye, says this is because, “the ICO is taking a very pragmatic line and common sense has prevailed. We will never see privacy legislation getting in the way of talking to customers. If we did, it would be madness.”
He draws an important distinction, however, between cookies that are placed by the web site owner and third party cookies for ad tracking and behavioural targeting. “Their situation is very different,” says Patron.
Even so, the issue remains complex and unresolved. “The difference between explicit consent and opt-in is very important, but little understood,” he notes. Prior to the new regulation become law last May, initial best practice advice presented web site publishers with significant problems. For major internet services providers, it meant offering a tick box which, if the consumer did not uncheck it, meant they were giving consent. But the DMA advised the complete reverse, offering an empty box which would have to be actively ticked. “One was a double negative, the other a single negative,” says Patron.
Steve Kemish, director of Cyance, believes the rise of Google Accounts and Facebook Connect is making explicit consent easier to achieve. “I would really expect people to understand they are using cookies to gather data and create a good user experience. People only have to log-in once to those services - that may be the way it goes elsewhere,” he says.
Sites increasingly carry Google, Facebook and Twitter buttons which are technically serving third-party cookies that require consent each time. But if a visitor has an account and has logged into it previously, an argument could be made that they are perfectly aware they are being tracked and have not objected.
Log-in looks like an important option for publishers to consider, too. If so, that would be a major change. “It is potentially a cultural shift, particularly in media circles. Newspaper publishers rely on cookies to deliver free content. Consent for cookies would spell the end of that as publishers may be forced to shift from that to log-in or they can’t give free content. The rules of engagement may change,” says Kemish.
Moving towards log-in as standard practice would require digital marketers to confront some failings in their own past. “We have been lazy as communicators in particular when it comes to persuading consumers to log-in,” he says. That is not a problem Facebook has had, suggesting consumers are willing to engage this way if they value the content or service highly enough.
“On the other hand, maybe nothing will change. There are a number of laws in place in the UK that are not enforced already, like not using a mobile phone while driving. Just because a law has been passed does not mean it will be complied with,” suggests Kemish. “It is up to bodies like the DMA and IAB to clear up the rules of engagement and best practice.”
Marketers may feel happy to ignore the new laws - evidence of visiting web sites suggests this is commonplace - but their legal departments and compliance officers are less likely to be so laissez faire. The need to tick off consent to cookies is part of broader data governance and within large organisations will not be off the agenda. It is more likely that tests are being carried out discreetly in tandem with discussions with the ICO over whether they are doing the right thing.
Legal advice does not necessarily resolve the problem, as Jonathan Erwin, managing director of Aspect Web Media points out: “If you had a panel of legal experts, they would all differ in their view,” he says. At the same time, consumers are becoming more single-minded about how their personal information is being captured and used, especially for behavioural tracking.
“That has been successful in the UK because there is a big brand landscape. Consumers have become more sensitive about their privacy and concerned about what information is available to companies who are making recommendations based on their browsing behaviour,” says Erwin. The experience of seeing targeted ads crop up on multiple sites after abandoning a basket, for example, makes many web users uneasy.
“It comes down to the issue of how intrusive cookies are. The ICO will need to give guidance as to what they think it is, rather than lumping all cookies under one umbrella,” he says. Service-based cookies, for example, are fundamental to the way many of the most popular websites operate, such as BA.com. “If you don’t want to accept a cookie there, you can’t use those sites,” he notes.
Some of these sites have been experimenting with gaining an opt-in for cookies during search, so visitors arrive already permissioned. Linking to a Google log-in at the same time will also resolve some of the barriers currently presented. But that may only be an option for companies with sufficient brand strength that consumers will not just look for an alternative where this permission is not being sought.
Emerging compliance frameworks are stressing this differential approach to cookies, with the International Chamber of Commerce UK setting out a four-tier view, providing levels of information and opting that reflect the nature of the cookie’s role, from fundamental to the service to the more optional.
Even so, there is still a huge amount of work to be done. “Publishers underestimate the number of cookies on their site by 80 per cent,” says Chris Swarbrick, head of ad operations at Media Contacts. “The main reason is that they don’t realise the level of third party cookies, from the technical, like content management systems, to additional third parties, like social network buttons and even Flash objects. They all set cookies.”
The ICO itself struggled to get to grips with the volume of cookies across its site and found it highly challenging to get to a definitive list. Any site relying on ad revenues to pay for free content will have a long list of cookies to work through - the technical aspects may be harder to resolve.
Swarbrick says there have been two reactions to the ongoing problem. The first has been to ignore the need for consent to cookies that are only used for tracking and web analytics. “That is not a long-term solution because the extent of what counts as personal data is going to expand with the revised Data Protection Directive,” he points out. This is driving a second reaction in which publishers roll up their sleeves and try to find a solution.
His agency’s newly-launched Cookie Consultancy is designed to help clients work out what cookies they have, which they need and test ways of gaining consent to them. Even so, he acknowledges that, “the ultimate goal of complete consent compliance is probably impossible. We try and move clients to a position where they are at least more aligned to the spirit of the law.”
Enforcement is not due to happen until 26th May this year. By then, more publishers will have moved towards compliance, but there will still be plenty of exceptions - with third-party cookies from social networks potentially the most common among them. What the ICO chooses to do will be critical. Picking on a big name, high profile brand or dealing progressively behind the scenes are both possibilities, while doing nothing could yet happen given the full agenda of the data protection review.
Even if there is a real push for compliance, it may yet be pointless. As Kemish points out, “cookies are not accepted on most mobile phones. For brands in the next few years, mobile will be the main access portal to their web sites.” Putting too much resource into building a solution for a channel that is going out of date could yet lead to the biggest act of non-compliance ever seen in the UK data industry.