More Related Content
Similar to Which way is the new cookie law starting to crumble
Similar to Which way is the new cookie law starting to crumble (20)
Which way is the new cookie law starting to crumble
- 1. Which way is the new cookie law starting to crumble?
We look back at some of our clients’ and the wider digital media industry’s approach to the new
cookie laws which came into force in May this year.
Quick recap. As from May, you can only place and access cookies and similar technologies (e.g.
web tags, beacons, clear gifs) on a user’s machine if you have prior, specific, informed consent from
that user to do so. There are only two exceptions: where the cookie is “strictly necessary” for
performance of a service a user has requested, or where its sole purpose is to transmit
communications over a network.
The law covers both cookies you place and those placed by others through your sites, such as
analytics applications and advertising networks.
Knowledge is power. You probably need an audit. Very few businesses actually know what cookies
are used throughout their sites (even if they think that they do at the outset). The results can be
startling.
Knowledge is not easy to acquire. There are lots of audit tools and service providers available, but
not all of them are created equal. You need a reasonable amount of detail out of any review or audit
in order to be apply to make decisions appropriately. Furthermore, even a good review or audit may
leave you with awkward hangover questions. You need to make sure you have time to address these,
if not immediately, then going forward.
Don’t forget email! Tags are frequently used in email marketing. Make sure your current email
practices are in scope for any review.
The exceptions are narrow, but not as narrow as you might think. An EU body has produced
guidance which has clarified what can be considered “strictly necessary” for performance of a service
a user has requested. Some social media services are covered, but not all of them.
Consent to what? A policy listing all cookies with descriptions of each one, or a rough overview by
class? The former approach has probably received most support to date (it is more conservative), but
since the International Chamber of Commerce issued some related guidance setting out classes of
cookie, the latter approach has increasingly started to find favour. Any approach should be legally
risk-weighted – the most intrusive cookies should receive most attention in your policy (although this
can be scary if they are also the most important commercially).
To “agree” or not to “agree”? The Information Commissioners Office has come out to confirm in
general that consent can be implied. In practice, this means using a pop-up to flag the use of cookies
on a site (you will have probably seen examples in your own browsing to date), which falls short of
giving “I agree” and “I don’t agree” options. Some pretty powerful stats have been published about the
commercial dangers of using an “I agree” mechanism with end users (many don’t agree!).
Links alone? Many retailers have held fire on using any pop-ups because of user experience risks,
and just gone with new site links (akin to the industry approach to privacy policies to date). Links are
part of the cookie compliance landscape, but in isolation their use is far from ideal. Cookies are
usually placed as soon as a user accesses a site; this needs to be flagged up straight away for
consent to be validly implied. By comparison, a privacy policy normally becomes relevant on
marketing sign up or a sale; a later process in which it can be (and should be) expressly flagged up.
© DWF LLP 2012
4011277-3 /RQM
- 2. Which way is the new cookie law starting to crumble?
Cookie management. Many sites are rolling out tools to manage cookies, even if initial consent is
implied. A proliferation of approaches exists, but the basic concept is unquestionably correct: you are
meant to empower a user so that they can withdraw their consent down the line if they want to. At
present, you need to take action yourself in this area; it looks like the web browser industry is not
going to come up with a solution in the medium term (some EU bodies are concerned that the US
driven “Do not track” initiative will not meet the standards required by the new cookies law)
If you do decide to roll-out your own cookie-management tool the site and business impact can be
high, so any approach needs thinking through in full. There is a growing trend to use the International
Chamber of Commerce’s recommended cookies classes as a basis, and give options so that a user
can leave some cookies “on” (above those “strictly necessary”) and just turn “off” the most intrusive,
ad-serving ones.
Embedding customer preferences? If a user impliedly consents, how are you going to record this?
Via a cookie on their machine? If so, this needs to be included in your policy. What happens if the
cookie is later deleted by the user (either manually or on an automatic basis)? Do you want users
being hit by repeat consent messages? If not, you might want to consider alternative technologies to
record a user’s consent.
Embedding change control in your business. It is one thing to embed the current position into your
web estate; it is quite another to ensure any changes to your use of cookies is picked up and reflected
in your consent mechanism. Think about what controls you need, and how these should be
communicated. Do people need to know a little about the law to understand them?
The challenge(s) of mobile sites. Don’t forget about them! They often take a different approach to
your main site. Mobile is also a more challenging environment in which to present cookie information
and seek consent. Should you consider developing a user-friendly approach for mobile and then
rolling it out to your main site?
Going EU-wide? The new cookie law is driven by an EU Directive. This means that each EU member
state has some discretion in implementing its cookie laws, albeit from a common base. So if you have
premises and websites outside the UK but within the EU you may have to grapple with multiple cookie
laws which do not follow a completely consistent approach. That said, at present very few of the EU
member states have rolled their new laws - the EU Commission is in the process of bringing fines –
so you might have a breathing space for now.
Going global? If your business operates outside the EU, don’t think the relevant part is automatically
outside of the new cookie law. You need to consider the position carefully. The new laws do not
distinguish between sites targeting EU citizens and those targeting people elsewhere. If your main
place of business is in the UK, or your servers are here, you are likely to be caught.
Is anyone going to punish me if I can’t be bothered? It is fair to say that the regulators have not
come out all guns blazing to date, and there has been some noise to the effect that they do not see
cookie compliance as a high priority. That said, they have extensive powers to investigate non-
compliance, seek public undertakings from businesses to force improvements (which are
embarrassing for board members to have to sign), and ultimately levy fines and bring criminal
proceedings. Some businesses have deliberately “baited” the regulators, so a showdown is possible.
Needless to say, we would not advocate doing nothing. The work involved in getting compliant is not
© DWF LLP 2012
4011277-3 /RQM
- 3. Which way is the new cookie law starting to crumble?
trivial but you wouldn’t want the additional hassle and expense involved in responding to a regulatory
trivial regulatory
investigation, even a gentle one (it is not quick or cheap to do).
Where do you want your brand to be? The new cookie laws are just one part of the privacy
cookie
landscape and the market norm in this area are still emerging, but putting pure legal compliance to
norms
one side, it is hard to advocate stasis as a valid option if you are at all sensitive about your brand. It
should come as no surprise that businesses with major brands – e.g. BT and John Lewis – have been
come
very proactive in their compliance and treated their approach with the same care and precision as you
treated
would expect of their main sales and advertising web pages. Ultimately, for a user concerned about
pages. Ultimately, for
their privacy, your cookies and privacy pages may be the only opportunity you have to win their
privacy
custom, so they are worth doing well.
Interested in learning more? Feel free to give me a call or email using the details below.
Robert Machin Associate
Commercial & IP
DD +44 (0)161 604 1676 (Ext. 1676) DF +44 (0)161 603 5050 M +44 (0)7827 950 415
DWF LLP
1 Scott Place 2 Hardman Street Manchester M3 3AA
T +44 (0)161 603 5000 F +44 (0)161 603 5050
www.dwf.co.uk
© DWF LLP 2012
4011277-3
4011277-3 /RQM