Cookie Directive: Does our cookie warning triangle comply with the law?
With just over a day to go until the ICO (the UK cookie police) begin to enforce the Cookie Directive, I remain confused, despite having carefully studied the initial guidelines and the updated version, as to whether our proposed solution of a warning triangle on every page of our site goes far enough or not.
Last year I argued that it would be acceptable in certain circumstances, but further advice has been issued by the ICO since.
Some of this advice suggests it definitely isn’t:
It has been suggested that the fact the Regulations do not specifically refer to ‘prior’ consent suggests that consent can be obtained after the activity consent is needed for has occurred (in this instance after the cookie has been set).
It is difficult to see that a good argument could be made that agreement to an action could be obtained after the activity the agreement is needed for has already occurred. This is not the generally accepted way in which consent works in other areas, and is not what users will expect. Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems.
Our solution does set cookies before the the information is provided.
But other advice and informal advice from them suggests it is OK when used with relatively un-invasive cookies:
The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes it difficult to obtain consent before the cookie is set. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.
Elsewhere they also have this to say:
the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent
So in summary we are still taking the view that it is OK for Analytics cookies but not advertising cookies. Of course we may be wrong and if you choose to use our free cookie button generator, you need to do so at your own risk.
What we do know though is that it is going further than many well-known brands, even if any lawyer would be likely to say that our solution does not go far enough.
What we are of course doing, as part of our compliance plan, is maintaining a watching brief on this and have a willingness to change our approach if required.
What if I have banner adverts?
Behavioural advertising is what this directive is largely aiming at and the industry so far is steadfastly refusing to comply.
My view is that in many ways this is more of a problem for the networks than those of us with websites displaying banner adverts.
The industries response has been to come together to offer an easy way to opt-out of advertising cookies at the Your Online Choices site and I feel that including the informed choices icon in a website’s footer (linked to an explanatory page) would at least be a hat tip to the directive.
Many of our clients do so-called “remarketing” where adverts are shown (on other sites) to people who have visited our client sites. Unlike just showing adverts on our site, if we were remarketing then we become a very active participant in the setting of cookies and the privacy invasion. I am of the view that getting a full opt-in is required if you are remarketing.
What about share buttons?
In my view share buttons have greater privacy implications than anonymous analytics software as like most banners they track folks across different websites with the ultimate aim of tailoring advertising. Somehow them being “social” makes them seem less worrisome! We are working to decrease sharing cookies but will continue to use our warning triangle (and home page notice) on the basis that the user has to have engaged with the social network for them to experience behavioural targeting (I know that is an over-simplification)
What if I am risk adverse?
It makes sense to do the following whether you are risk adverse or not:
- Adding prominent notices to your home page
- Removing cookies from your website (our audit tool can help here)
- Having a good cookie information page with opt-outs (which our soon be released updated audit tool will generate automatically for you)
If you want to beef up your response to the directive then consider the following:
- a time delay between users arriving on your site and the setting of cookies may allow you to argue that your users have been given an opportunity to peruse your cookie information. You could also do this by not setting any cookies until they move on to a second page.
- Move to a full prior consent opt-in approach to be bullet proof (but accept loss of revenue)
What consent mechanisms are you adopting?
Update 25/05/2012 – The ICO have just issued new guidance. My first very brief flick through is making me happy