Cookie Law - implications of the EU privacy directive
Compliance implications of the EU e-privacy directive Just when we were celebrating getting rid of IE6…
Overview The Revised E-Privacy Directive aka the “Cookie Law” is due to be enforced from the 26th May 2012. The synopsis is that if you are tracking users and capturing data on them, you MUST ask them for consent or you cannot track them. Most tracking is achieved via browser “cookies” (simple text files containing data). The only exceptions are for cookies which are “strictly necessary” and without which websites won’t work properly: Framework session cookies (EG a PHP session cookie) Shopping cart cookies (can’t have the cart forgetting what you tried to buy) Analytics cookies are not included in the “strictly necessary” definition.
The upshot1. Companies are going to have to conduct a cookie audit to identify what their website is actually doing and then implement a solution to ask users for permission to any cookies that the company deems necessary.2. Companies that choose to be fully compliant are going to lose a massive percentage of their analytics data as a large percentage of users will not consent to tracking. The Information Commissioners Office (UK regulatory body) revealed a 90% drop in analytics stats when they implemented a consent solution.
Reading between the linesThe ICO has said that its looking for “positive steps” when it comes to anyenforcement policy and we should expect them to be helpful rather thanadversarial in the first few months of enforcement. With this in mind, somecompanies are choosing to meet a minimum level of compliance now, with aview to re-assessing the lay of the land later on once a consensus on bestpractice has been reached by the early adopters.There are also grumblings that although the ICO are laying down the law thegovernment hasn’t yet really had its say, instead commented on the need forbrowser vendors to provide a solution.http://bit.ly/H9ZjxLBasically, the implementation of the law is a mess and should we sit tight andsee what happens?
Reading between the linesOn top of all this, and rather intriguingly, the ICO has left a small door openon analytics cookies (through which everyone is stampeding). “Provided clear information is given about their activities we arehighly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”IE – “They are still illegal, but we’re unlikely to come down on you for them”http://bit.ly/HAhBIq
“Strictly Necessary”The directive contains 2 concepts: Strictly necessary Cookies without which websites cannot operate. EG shopping carts can reasonably be expected by the user to remember previous items the user has selected to purchase. Without remembering this, the cart is useless and the user journey fails. Informed consent For all other purposes – you have to ask the user whether they are OK with you tracking them for this purpose.Strictly Necessary Informed ConsentLoad balancing AnalyticsPHP Session Advertising networksShopping basket User preferences EG “Welcome back John”
1st party vs 3rd partyThe type of cookie being set also impacts on this, especially those cookiesplaced by sites other than the one the users is browsing. 1st party cookies are cookies set by YOUR website 3rd party cookies are set by other sites (EG Google Adwords) to track users as they browse from site to site. These are typically advertising cookies. 1st Party 3rd PartyStrictly Necessary No consent required n/aConsent required Consent granted once, can Have to ask for consent keep the setting stored each time a user visits the indefinitely site
Compliance step 1Audit the cookies the site is currently setting and establish which are 1st and3rd party along with what fits the description of strictly necessary.
Compliance step 3Implement a system to get consent from the users: It should link to the information on your site about cookies and explanations of what you do with the data It should have a method of asking users for their consent for you to track them.Importantly it also needs to be: Obvious and friendly enough to encourage as good a click rate as possible Intelligent with regard to 1st and 3rd party cookies
Compliance workflow User Arrives Repeat visitor Strictly New user or with consent Necessary no consent cookie present cookies set 3rd party cookies need setting Consent solution presented on page load At this point it’s not clear whether the best solution is to “nag” the user on every 1st and 3rd party page. The problem is User cookies set as User declines or that to avoid doing appropriate along with accepts so… you need to set a ignores “consent” cookie cookie!
Solutions:Status Bar - Top Status Bar - BottomPros – Imposing and in the eyeline but not Pros – Not obstructive, the user canobstructive, the user can continue to continue to browse, still very obviousbrowse. Cons: - Can be ignored, not in the eyelineCons: - Can be ignored on taller pages unless it floats over content.
Solutions:Modal Overlay Gutter WidgetPros – Very imposing, user cannot pass Pros – Can be nicely designed, floats towithout making a choice remain in users eyeline, 3rd party script already existsCons: - Very obstructive, might lead tohigher bounce rate from the site Cons: - Too easy to ignore, overlays content on smaller screens, not much use for mobile.
Sampling via Google Analytics Even if there is a 90% drop, the remaining 10% is still a representative sample of your user base. Statistics for the whole can be inferred from this sample. It is not clear though whether this 10% would be “engaged” with your company already – IE whether the sample is skewed.
A/B TestingThere is currently very little / no public data on the effects of the varioustypes of solution on user interactions with websites. There is certainly no bestpractice as yet and there are various organisations competing to try and comeup with a standard.Eventually a standard will emerge, or the issue will be solved by the browservendors (Which is the argument for the “reading between the lines” approachto compliance in slide 4).In the meantime the very best approach would be to test the implementationsagainst each other and gather hard data on which works best for the users ofYOUR site.A/B testing is cheap to conduct, but the cost will include having to develop atleast 2 compliance solutions initially.
Final ConsiderationWhatever your company decides to do, comms teams should be aware of thecompany policy, especially if non-compliance is followed, as there could beincoming traffic on this subject.
Further readingLatest state of play: http://econsultancy.com/uk/blog/9453-econsultancy-s-solution-to-eu-e- privacy-directive-compliance http://www.cookielaw.org/blog.aspx http://blog.silktide.com/Implementation examples http://db.tt/yYc182rv (PowerPoint Deck) http://bt.com (Go to bottom right corner and click on “Cookies”)