With the aim of protecting the privacy of internet users, the Directive requires websites to obtain permission from users before certain types of cookies—small files that store information about an individual’s online session—are used. Companies that do not comply could face fines of up to £500,000.
“The cookie laws have created a confusing situation for all website owners. There are pages and pages trying to interpret what needs to be done to be compliant—and as yet no clear answer,” says Chloe Thomas, who runs online marketing agency IndiumOnline. “The key point of the UK version is that you need ‘prior consent’ in order to drop ‘nonessential’ cookies on users. Prior consent is easy to understand, but hard to implement,” she adds.
Essential cookies are defined as those necessary for a service, for example, to remember the contents of a user’s basket as he navigates an online shop, and are therefore exempt. “The offending cookies are those that study the customer’s profile and behaviour, are applied to personalise a website or serve relevant third-party adverts,” explains Kevin Galway of digital marketing agency BSS Digital. In order to continue using nonessential cookies, website owners must unambiguously obtain consent from users; for example, by updating privacy policies or using pop-ups during a visitor’s session. Even businesses that don’t use sophisticated behavourial targeting tools need to comply, as Galway warns, “if your site uses Google Analytics, then you are impacted by this law.”
Taking the biscuit
Some retailers welcome the “fuzzy nature” of the new regulations. Rob Silsbury, ecommerce director UK and Europe at Tiffany & Co, says that while complying fully with the new regulation, “we are looking at the lack of defined boundaries as a positive, giving us some freedom to ensure that the impact on our business and the customer experience is minimal”. For him, the big question is what constitutes “consent” and how to deal with those who don’t give it. “The issue of whether ‘consent’ needs to involve a click is the biggest focus and we will be preparing a couple of approaches based on two very different views of the answer.”
At another business that spoke to Direct Commerce on condition of anonymity, the year’s grace helped focus the ecommerce team. Its head of multichannel retail says, “We have run internal audits to understand the totality of the cookies we collect, we considered how best to address the requirement of informed consent, and in particular we paid careful attention to what the ICO was saying and what some of the larger brands were doing.”
For the main part, he is taking a wait-and-see approach, “We noted that the ICO was really only going to act in cases of widespread complaint, or where cookies were being collected for nefarious purposes. As we are unlikely to trigger either of those elements, we will not be actively asking for informed consent.” This isn’t a complete flouting of the law, he hastened to add, “we recognise we could do more to explain to customers about the information we gather on them, and we will be progressively updating our privacy policies over the next three to six months to be more open”.
“It’s tempting to see this as another PCI DSS or 3D Secure. But it’s worse,” says Chloe Thomas. “At least with them it was black and white what needed to be done to be compliant. The penalties for not being compliant with the cookie law are big, but the ICO doesn’t have the resources to prosecute lots of companies.”
So what should you do to ensure you meet the deadline? In the first instance, says BSS’s Galway, all retailers should read the ICO’s guidelines. “Then find out what type of cookies your site has and determine the optimum solution to obtain consent from visitors. There will be a fine balance between the desire to collect as much information as possible on visitors and not deterring them away from your site, but retailers must address this challenge now before it’s too late.”
*Mandatory fields your email address will not be published. All comments are moderated and may be edited. Comments do not necessarily reflect the views of the Catalogue Development Centre Ltd.
While the EU Cookie Directive has given a few online businesses and marketers headaches over the past year, ultimately the conversation about privacy has been productive. Trust and privacy are paramount and we should all be actively promoting open dialogue and transparent business models.
Mark Haviland, MD at Rakuten LinkShare
The EU Cookie law is simply a bad law and a restraint to trade online at a time when business needs all the help it can get.
Trading online without using cookies for analytics or various types of marketing tracking is analogous to asking a retailer to trade blindfolded. It's simply not possible.
The law is well intentioned - protecting consumers and consumer data is important but one needs to police the abuse, not the benign actions of honest online merchants.
Michael Ross, Director of eCommera.