The EU Cookie Directive entered a new period of farce last week. One day before we were all supposed to have our websites under control, the Information Commissioner’s Office has decided to give website owners 12 months to get their house in order and government minister Ed Vaizey has challenged some of the key guidance previously given out by the ICO on the issue of getting consent.
Websites owners were beginning to engage with the important issues the directive is trying to address (albeit misguidedly – the directive that is!) but the minister’s few words have ensured that all things cookies have sunk immediately to the bottom of to do lists again.
This is illustrated perfectly by a tweet from Fergus at Macdonald Sporrans, a client who I was discussing the announcements with:
It’s a view also reflected in a post from E-Consultancy, an organisation that holds sufficient sway that many website owners and internet marketers will take their view as gospel.
I’m not convinced that doing nothing is the right way forward, although that has little to do with the ICO’s statement that they will start gathering evidence of non-compliance before the 12 months is up.
Lack of Action
The number of sites complying with the new directive (or even making effort to be seen to comply) are few and far between. So far I’ve only come across a few examples (though I’m sure there’s more) each with differing approaches to achieving compliance. Here’s 5 differing approaches:
The ICO (them in charge of enforcement)
The ICO themselves have made effort, though some of those more au fait with the intricacies of cookies than I are even suggesting that what they have done is not fully compliant.
Compliant or not, it certainly isn’t a good user experience and I suspect that a privacy campaigner would be fairly under whelmed too by it’s inability to explain things in plain english.
I heard that Argos had a pop-up consent form in action on the first morning of the law (last Thursday). It’s definitely not there now so I can only assume that they’ve decided that either it was no longer needed, or it had such an impact on the site’s conversion rate, that they decided they couldn’t afford it. Most likely it was a bit of both.
I am slightly surprised that there isn’t some half way house being implemented – I see no mention at all of cookies on their home page.
This is a so much more attractive version than the ICO’s effort though it assumes consent if user’s continue – i.e. no accept button is required. Personally I feel that this would stand an excellent chance of complying and could be copied for all except the most invasive cookies (5’s on our naughtiness scale) or those lending themselves to more specific notice (e.g. registration).
We’ve gone for the soft approach as discussed previously with our floating icon in the bottom right of screens on every page and our cookies information page (both of which are work in progress – just slightly slower progress since the announcements!)
West Sussex County Council
They’ve gone even softer by simply providing their take on a cookie information page in which they declare:
This “promotion” seems limited to a notice on their home page which is the third rotation in a changing element (so therefore unlikely to be seen by many and which will likely taken away altogether as more news comes along).
Being a government website it’s an interesting case study. Is their approach legal? I’d argue not as their notices are unlikely to be noticed by even a minority. However their likely use of invasive cookies is probably pretty minimal which could be viewed as “mitigating circumstances”
The missing case studies in my view are those who’ve sought to do something about the more invasive type of cookies this directive is really aiming at including behavioural advertising and affiliate cookies. There’s talk of action from industry bodies so for the rest of us, some “waiting and seeing” is probably OK.
What’s going to happen next?
There is no doubt in my mind that the guidance will be very different in 12 months time to what it is now. Will the cookie directive even exist then? I’m not sure but what I do believe in is that the privacy concerns behind the directive are not going anywhere.
The offline world doesn’t allow businesses to invade people’s personal spaces (without consent or notice) in the way that most (yes most!) online businesses do today, so inevitably something has to change.
Legislation in a world-wide economy is not easy. My instinct tells me that the “pull” of customer wants has as much to play in changing habits, as the “push” of legislation does.
In terms of the legislation specifics, it does seem that common sense is winning and that the way “consent” can be interpreted will be softened (increasing the chances of the approach we are taking ourselves being compliant).
Wake up call?
The arrival of the cookie directive has highlighted that we weren’t (as I suspect 99.9% of businesses weren’t) even complying with the previous softer version of the legislation which requires us to provide information on the cookies we are using and an easy way to opt-out.
This isn’t a big task and as an industry, it is my view that we should be seen to be at least doing this to show we can be responsible. That is if we wish to avoid getting legislation that doesn’t cause us a whole heap of problems.
This is why we will be progressing our cookie audit tool with focus on finding out what cookies your website uses and providing information to create cookie information pages which are the required steps to comply under the older legislation.
The third step is about “getting consent” which is the primary difference between the old and the new legislation. So much is going to change in the next 12 months that having a “soft consent” plan and a commitment to keep up to date is probably enough for now.
So let’s not leave that conversation for 12 months time but instead take some calm steps towards getting our houses in order.
(Disclaimer: All the above is my opinion, I’m not in anyway qualified to provide legal advice – thankfully)