There is a huge amount of uncertainty surrounding the European Commission’s ePrivacy Directive on cookies, with almost all businesses needing to know what the impact will be on their online marketing. We live in changing and, for many companies, uncertain times with revenues and profits at risk across the board. Online marketing and ecommerce is clearly a significant factor for business success and what the European Commission have decided to do is make waves regarding how it should be conducted. The European Commission set a deadline of May 25th, 2011 for EU member states to ‘notify’ their adherence to the directive. Since the deadline, a 12 month extension has been given in the UK. So, what does this mean for businesses in other member states and in the long-term?
The right to privacy for an individual is deeply important and the use of personal data must be regulated. The directive fails to do this, it just meddles with some of the key building blocks that underpin how businesses build customer relationships online. The directive has succeeded in being ambiguous and incendiary, and I feel will achieve very little for the following reasons:
- It attacks all types of tracking, from innocent site tracking through to complex re-targeted advertising
- It requires local enforcement, ignoring the fact that users browse with little thought to the origin of the websites they view or where they are hosted
- The concept of a cookie opt-out is important, however they fail to offer a route for marketers to take in-order to conform with their rules
Overall, I feel they have attempted to take an axe to the backbone of online business, without understanding how it or its users actually work. The implications of what this will mean for online business in the future has left many of us a little confused.
Adoption of the directive
Once the European Commission has written the directive to their member states they must be notified of their acceptance and then attempt to enforce it. Notification to the European Commission was due by 25th May 2011. Here are some facts on just how many of the EU member states have notified the European Commission of their compliance:
| Accepted the directive: Estonia Denmark Finland IrelandPartially accepted the directive: UK France Slovenia Luxemburg Latvia Lithuania |
Not sent a notification: Austria Belgium Bulgaria Cyprus Czech Republic Germany Greece Hungary Italy Malta Netherlands Poland Portugal Romania Slovakia Spain Sweden |
This list was compiled from many disparate articles (including this one from The Register) as there currently appears to be no central resource should you wish to understand what the implications are in a given territory. If you know more and can update me then please get in contact.
The European Commission states that it will open ‘infringement procedures’ against member states that have not conformed to the directive. In addition they have said that partial acceptance/adoption ‘falls short’ of the European Commission’s expectations.
What now?
So where does this leave companies that are trying to communicate, market and sell online in the member states of the EU? Whilst it would be reckless to say that business should ignore the directive, Ed Vaizey, Minister for Culture, Communications and Creative Industries in the UK, wrote an open letter that basically declares business as normal until ‘technical solutions’ have been created.
I feel that this very clearly embodies the ‘pragmatic ‘approach intended by the UK authorities, which essentially boils down to:
As mentioned previously folks, please share your thoughts regarding the information in this post and provide updates where and when you see necessary.
The Dutch law is waiting to go through it final stages – and it requires ‘proof’ of consent by all accounts.
The Irish law apparently doesn’t apply to Session cookies: http://www.cookielaw.org/cookie-news/2011/7/6/irish-law-and-session-cookies.aspx
Richard, thank you for your comment.
The Republic of Ireland’s stance is a strong one, as the commentary that you link to states, the allowance of session based cookies is a savvy accommodation on behalf of large body of Irish internet business (surely including Google).
Please do give me a nudge when you have further clarification on the Dutch approach.
I presume the reason that the European Commission has not bothered to make their own website compliant yet is because Belgium have not sent a notification? I really think they should serve their notices against themselves before they complain about anyone else.
Nick, you echo my sentiments, they should “eat their own dog food”.
The fact that they have made little move to come into line with their own directive, or even comment on it, is testament to the ambiguity of the policy itself. Recognition goes to the ICO in the UK for having a good go themselves at implementation and further to reacting so well to Vicky Brock’s request for information.
Hi Rob,
I think the problem is that the pragmatic, keep calm and carry on approach you mention is what is being said behind closed doors. I think a number of us have had personal conversations with “insiders” if you will, where there has been the personal suggestion that carrying on as normal is a perfectly rational option.
BUT, thanks to the ICOs guidelines that effectively single out analytics ahead of anything else, that is not what is being communicated to the public or businesses (and the lawyers, auditors and compliance staff of businesses).
The browser/industry level solution that Ireland has chosen is not the angle the ICO as an independent quango has chosen to pursue in its initial announcements, so the governments largely informal comments on this are largely irrelevant. Those bodies with an extreme privacy agenda and an anti-Google agenda will raise test cases when the 12 months expires & what a minister did or didn’t say won’t matter.
Clarification is urgently required – especially with countries like Finland & Ireland (who have accepted the directive)not putting the onus on individual businesses and not singling out analytics cookies in the way the UK has. I honestly think that if the UK doesn’t take another look at its guidelines and interpretation, it is risking seriously harming its ecommerce industry. As you highlight, the ICO need to clarify how the geography specific stuff is supposed to apply in a relatively open online market. Afterall, if I can sell to the UK market from Ireland without this kind of hassle and risk of fines & competitive disadvantage, why wouldn’t I?
While the UK government and their quangos talk to the public about one set of facts (I can’t accurately recall, was there a mention of £500,000 fines?) and then informally brief back to business not to worry about it, then utter confusion reigns.
Since I published the graph showing the ICOs GA data dropping by 90% I have followed a lot of posts from different sectors discussing this topic and interpreting the data in different ways. What has surprised me is that outside the analytics community, especially in consumer & non marketing audiences, it is not understood that analytics cookies are anonymous and benign – people really think they are stripping out private data wherever they go. I don’t think the ICO people ever understood the difference between 1st and 3rd party cookies and I think their guidelines have expressed that and duly further confused the public and put UK businesses at a competitive disadvantage.
It is ironic that a ruling aimed at the exchange of PII via 3rd party behavioural targeting cookies has identified benign 1st party analytics cookies as the symbol of evil.
I am advising my clients to do nothing more than a cookie audit and wait. But as an industry, I don’t think we can ignore it and wait ’til it hits the courts, because if the people working in this field don’t understand cookies, I hate to see what a judge makes of them.
I shall shut up for now
Best wishes,
Vicky
Vicky, thank you for your fantastic comments.
I agree that ‘the lawyers, auditors and compliance staff of businesses’ will be taking this all more seriously and I can understand their position. In fact, I would encourage them to engage with people such as you and I, so that they fully understand the practical realities of compliance in online business, aswell as the cold, hard line items in the directive.
You are right to point out the informality of Vaizey’s open letter, nobody will be able to hold him or the government to any of the statements it includes. I do however feel that it is better than nothing, at least UK business knows that the directive is on the mind of the powers at be.
As for understanding the issues, your suspicion that the ICO didn’t understand the difference beteewn 1st & 3rd party cookies is echoed by my colleagues. We must take it upon ourselves to provide leadership, authority and clarity to our industry, our clients and, it seems, our regulators.
Thank you again and I hope you enjoy my shortly to be published post that looks at the ICO data you inspirationally acquired.
Hi Rob,
This directive does seem to have created a lot of panic. If you want my absolutely personal opinion, I think that policing this will be by exception rather than rule and keeping calm and carrying on, as Vicky says, is the way to go. But all it would take is a new red-top article about how cookies suck the brain matter out of your head for a crack-down to take everyone by surprise, so it does need to be kept in the forefront of one’s business mind. Have a plan B!
I’ve been asked several times for the Yahoo! position and we’d say there is no single, one-size-fits-all answer to how transparency and control over cookies must be delivered. It will require cooperation across all levels of industry – ad networks, publishers and browsers, and will inevitably have to be delivered via a range of tools designed to empower. These include new self-regulatory developments in the area of behavioural advertising, cookie and other controls provided by browsers, and other tools. Technological innovation in this area is already happening; we are convinced that it will deliver user-friendly and practical solutions that will contribute to a privacy-protective environment for Internet users but at the same time preserve existing business models.
Nice summary Rob and I personally am trying to follow Vicky’s thoughts on this across multiple posts…
It should all be so simple, 1st party cookies should be fine by default (you access someone’s website, they should be able to know you opened the door and had a look around) while 3rd party cookies should have a browser setting (so companies can’t follow you around the web if you don’t want them to). But I see a very big difference between perception and reality as Vicky and yourself have stated.
None of the people involved in making these laws seem to understand cookies and it is so much easier just to ban them all. Plus it eliminates the risk of the media or privacy groups using this issue against them personally. I would like to think we will end up at a common sense solution but not overly confident about that.
Moving on to alternatives if it all goes wrong. This law appears to refers to cookies only. Does that mean we can still receive measurements for web analytics tools as long as they aren’t tied together by cookies to represent one visit/visitor? Can we use IP Address & User/Browser agent instead (as Sitestat does as a backup already)? Are log file based web analytics tools acceptable? What about tools like speedtrap that capture everything?
Cheers
Peter
Hi Rob,
I have pretty much covered it on my own blog here http://bit.ly/oLBx8F but I’d also go a bit further and say that in Finland the law has been interpreted totally differently than that of the UK.
In Finland a graphic will be added to 3rd party ad tracking banners that leads to an opt-out and sites should allow people to opt-out of tracking. It’s not explicit opt-in like the ICO is suggesting. This to me gives control to the consumer and makes a lot more sense for the industry.
Cheers
Steve
Hi Rob,
Interesting comment thread – and Peter, I am trying to keep up with my own opinions & arguments across multiple posts and blogs, so I sympathize
I will be pulling them together shortly.
Peter’s point about this being so cookie (and thereby primarily page tagged based analytics) specific is a good one – it doesn’t preclude IP based logfile analysis (even though the Germans regard IP addresses as the analytics bogeyman, rather than cookies). As us oldies who grew up on pure logfile analysis probably recall, when you are walking around with raw log & transaction data in your handbag, there is way more scope for accidental loss & exposure.
Also, as I interpret it, it refers to the storage of cookies on a users machine, so technically it doesn’t preclude the potentially less secure, less user respectful option of just taking a users unique device reference/browser configuration and instead of serving a cookie type file to the device, storing it in a virtual cookie jar away from the users machine. That seems to me like the kind of workaround that is likely to emerge, but I don’t see how that serves either consumer or business better than the current model.
Personally, I don’t think we’ll ever succeed in educating the wider market about good cookies, bad cookies and completely inexcusable cookies – so maybe as a community we have to be far better advocates on why measurement matters.
For example, couldn’t you construe that a hypothetical body that wanted to ban the means of measuring whether it was delivering value for money online, might just have something to hide from its citizens/taxpayers?
Or perhaps there is some new model, the semantic web or something yet to emerge, where I the web user am the owner of all my data and I choose to let you interact with it in exchange for you giving me access to web services and information that I want. It is stored on my machine, in a kind of storage jar, I can choose to delete it if I like, oh wait…..
Cheers,
Vicky