The way the cookie crumbles

On 26th May, new laws come into force governing the way websites use cookies to track user behaviour. The new EU ePrivacy Directive, dubbed the cookie law, was adopted last May by the UK government with website owners given a year’s grace to become compliant.

With the aim of protecting the privacy of internet users, the Directive requires websites to obtain permission from users before certain types of cookies—small files that store information about an individual’s online session—are used. Companies that do not comply could face fines of up to £500,000.

“The cookie laws have created a confusing situation for all website owners. There are pages and pages trying to interpret what needs to be done to be compliant—and as yet no clear answer,” says Chloe Thomas, who runs online marketing agency IndiumOnline. “The key point of the UK version is that you need ‘prior consent’ in order to drop ‘nonessential’ cookies on users. Prior consent is easy to understand, but hard to implement,” she adds.

Essential cookies are defined as those necessary for a service, for example, to remember the contents of a user’s basket as he navigates an online shop, and are therefore exempt. “The offending cookies are those that study the customer’s profile and behaviour, are applied to personalise a website or serve relevant third-party adverts,” explains Kevin Galway of digital marketing agency BSS Digital. In order to continue using nonessential cookies, website owners must unambiguously obtain consent from users; for example, by updating privacy policies or using pop-ups during a visitor’s session. Even businesses that don’t use sophisticated behavourial targeting tools need to comply, as Galway warns, “if your site uses Google Analytics, then you are impacted by this law.”

Taking the biscuit
Some retailers welcome the “fuzzy nature” of the new regulations. Rob Silsbury, ecommerce director UK and Europe at Tiffany & Co, says that while complying fully with the new regulation, “we are looking at the lack of defined boundaries as a positive, giving us some freedom to ensure that the impact on our business and the customer experience is minimal”. For him, the big question is what constitutes “consent” and how to deal with those who don’t give it. “The issue of whether ‘consent’ needs to involve a click is the biggest focus and we will be preparing a couple of approaches based on two very different views of the answer.”  

At another business that spoke to Direct Commerce on condition of anonymity, the year’s grace helped focus the ecommerce team. Its head of multichannel retail says, “We have run internal audits to understand the totality of the cookies we collect, we considered how best to address the requirement of informed consent, and in particular we paid careful attention to what the ICO was saying and what some of the larger brands were doing.”

For the main part, he is taking a wait-and-see approach, “We noted that the ICO was really only going to act in cases of widespread complaint, or where cookies were being collected for nefarious purposes. As we are unlikely to trigger either of those elements, we will not be actively asking for informed consent.” This isn’t a complete flouting of the law, he hastened to add, “we recognise we could do more to explain to customers about the information we gather on them, and we will be progressively updating our privacy policies over the next three to six months to be more open”.

An ecommerce manager at a leading fashion brand told Direct Commerce he had no plans to implement an “opt-in pop-up, roll-down or otherwise”. But what he has done is make the site’s cookie policy robust, listing exactly what cookies it uses and how. His plan, he says, is to wait for as long as possible before having to implement drastic changes. He will make his move “once the cookie question becomes nonthreatening”—the same strategy he used when complying with 3D Secure, he adds.

“It’s tempting to see this as another PCI DSS or 3D Secure. But it’s worse,” says Chloe Thomas. “At least with them it was black and white what needed to be done to be compliant. The penalties for not being compliant with the cookie law are big, but the ICO doesn’t have the resources to prosecute lots of companies.”
So what should you do to ensure you meet the deadline? In the first instance, says BSS’s Galway, all retailers should read the ICO’s guidelines. “Then find out what type of cookies your site has and determine the optimum solution to obtain consent from visitors. There will be a fine balance between the desire to collect as much information as possible on visitors and not deterring them away from your site, but retailers must address this challenge now before it’s too late.”