Cookie Law - implications of the EU privacy directive


Published on

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cookie Law - implications of the EU privacy directive

  1. 1. Compliance implications of the EU e-privacy directive Just when we were celebrating getting rid of IE6…
  2. 2. Overview The Revised E-Privacy Directive aka the “Cookie Law” is due to be enforced from the 26th May 2012. The synopsis is that if you are tracking users and capturing data on them, you MUST ask them for consent or you cannot track them. Most tracking is achieved via browser “cookies” (simple text files containing data). The only exceptions are for cookies which are “strictly necessary” and without which websites won’t work properly:  Framework session cookies (EG a PHP session cookie)  Shopping cart cookies (can’t have the cart forgetting what you tried to buy) Analytics cookies are not included in the “strictly necessary” definition.
  3. 3. The upshot1. Companies are going to have to conduct a cookie audit to identify what their website is actually doing and then implement a solution to ask users for permission to any cookies that the company deems necessary.2. Companies that choose to be fully compliant are going to lose a massive percentage of their analytics data as a large percentage of users will not consent to tracking. The Information Commissioners Office (UK regulatory body) revealed a 90% drop in analytics stats when they implemented a consent solution.
  4. 4. Reading between the linesThe ICO has said that its looking for “positive steps” when it comes to anyenforcement policy and we should expect them to be helpful rather thanadversarial in the first few months of enforcement. With this in mind, somecompanies are choosing to meet a minimum level of compliance now, with aview to re-assessing the lay of the land later on once a consensus on bestpractice has been reached by the early adopters.There are also grumblings that although the ICO are laying down the law thegovernment hasn’t yet really had its say, instead commented on the need forbrowser vendors to provide a solution., the implementation of the law is a mess and should we sit tight andsee what happens?
  5. 5. Reading between the linesWith this in mind and the fact that enforcement is pretty unlikely to happenimmediately, the following approaches have all been mooted as perfectlyvalid, depending on the companies sensitivity to adverse PR if any sort ofstory were to arise. Baby steps: Do a cookie audit and update the privacy policy with friendly information about the cookies being used. (Not compliant, but a “positive step”) The fifty per cent: Remove all cookies except for analytics, adopt clear iconography advising which remaining cookies are used and link to an updated privacy policy. (Not compliant, but arguable – and many companies will be arguing!) Full compliance: Cookie audit, updated iconography / privacy policy and a solution that tests for user consent for cookies that are not strictly necessaryThe end decision is definitely a “personal” one, based on the ethos of the companyinvolved and their attitude to risk. (And their users)
  6. 6. Reading between the linesOn top of all this, and rather intriguingly, the ICO has left a small door openon analytics cookies (through which everyone is stampeding). “Provided clear information is given about their activities we arehighly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”IE – “They are still illegal, but we’re unlikely to come down on you for them”
  7. 7. The detail..
  8. 8. “Strictly Necessary”The directive contains 2 concepts: Strictly necessary Cookies without which websites cannot operate. EG shopping carts can reasonably be expected by the user to remember previous items the user has selected to purchase. Without remembering this, the cart is useless and the user journey fails. Informed consent For all other purposes – you have to ask the user whether they are OK with you tracking them for this purpose.Strictly Necessary Informed ConsentLoad balancing AnalyticsPHP Session Advertising networksShopping basket User preferences EG “Welcome back John”
  9. 9. 1st party vs 3rd partyThe type of cookie being set also impacts on this, especially those cookiesplaced by sites other than the one the users is browsing. 1st party cookies are cookies set by YOUR website 3rd party cookies are set by other sites (EG Google Adwords) to track users as they browse from site to site. These are typically advertising cookies. 1st Party 3rd PartyStrictly Necessary No consent required n/aConsent required Consent granted once, can Have to ask for consent keep the setting stored each time a user visits the indefinitely site
  10. 10. Compliance step 1Audit the cookies the site is currently setting and establish which are 1st and3rd party along with what fits the description of strictly necessary.
  11. 11. Compliance step 2Update your privacy policy to contain clear information on what cookies youwould like to set, what they do and where the information goes. • Some sites have created whole “cookie” related sections, rather than putting everything into the existing privacy policy. • The ICO are keen that the wording is in plain English, as the whole idea of the law is help users make an informed choice about their privacy.
  12. 12. Compliance step 3Implement a system to get consent from the users: It should link to the information on your site about cookies and explanations of what you do with the data It should have a method of asking users for their consent for you to track them.Importantly it also needs to be: Obvious and friendly enough to encourage as good a click rate as possible Intelligent with regard to 1st and 3rd party cookies
  13. 13. Compliance workflow User Arrives Repeat visitor Strictly New user or with consent Necessary no consent cookie present cookies set 3rd party cookies need setting Consent solution presented on page load At this point it’s not clear whether the best solution is to “nag” the user on every 1st and 3rd party page. The problem is User cookies set as User declines or that to avoid doing appropriate along with accepts so… you need to set a ignores “consent” cookie cookie!
  14. 14. Solutions:Status Bar - Top Status Bar - BottomPros – Imposing and in the eyeline but not Pros – Not obstructive, the user canobstructive, the user can continue to continue to browse, still very obviousbrowse. Cons: - Can be ignored, not in the eyelineCons: - Can be ignored on taller pages unless it floats over content.
  15. 15. Solutions:Modal Overlay Gutter WidgetPros – Very imposing, user cannot pass Pros – Can be nicely designed, floats towithout making a choice remain in users eyeline, 3rd party script already existsCons: - Very obstructive, might lead tohigher bounce rate from the site Cons: - Too easy to ignore, overlays content on smaller screens, not much use for mobile.
  16. 16. Server-side analyticsRather than relying on cookies and javascript, you let the webserver itself gather data onthe user from the PHP process or server logs. This could also be against the law althoughthere appears to be some confusion on this matter still.Pros Some form of analytics can be kept live to inform business decisionsCons The available solutions are not as advanced, they don’t track nearly so much data or enable you to have advanced functions such as funnels or goals and you can’t track repeat users. Has a cost implication for implementation, even if the solution itself is open-source. Adds extra load to the webserver Cannot be installed on some hosting environments
  17. 17. Sampling via Google Analytics Even if there is a 90% drop, the remaining 10% is still a representative sample of your user base. Statistics for the whole can be inferred from this sample. It is not clear though whether this 10% would be “engaged” with your company already – IE whether the sample is skewed.
  18. 18. A/B TestingThere is currently very little / no public data on the effects of the varioustypes of solution on user interactions with websites. There is certainly no bestpractice as yet and there are various organisations competing to try and comeup with a standard.Eventually a standard will emerge, or the issue will be solved by the browservendors (Which is the argument for the “reading between the lines” approachto compliance in slide 4).In the meantime the very best approach would be to test the implementationsagainst each other and gather hard data on which works best for the users ofYOUR site.A/B testing is cheap to conduct, but the cost will include having to develop atleast 2 compliance solutions initially.
  19. 19. Final ConsiderationWhatever your company decides to do, comms teams should be aware of thecompany policy, especially if non-compliance is followed, as there could beincoming traffic on this subject.
  20. 20. Further readingLatest state of play: privacy-directive-compliance examples (PowerPoint Deck) (Go to bottom right corner and click on “Cookies”)