Last night I attended the International Chamber of Commerce (UK) discussion on the EU Privacy Directive (aka the Cookie Law) and the guide they are finalising.
Amongst those in attendance was Dave Evans from the ICO (the body that is defining and will enforce the regulation in the UK); I’ve heard him speak on this topic previously at the eMetrics event and he seems genuinely interested in both improving user privacy and improving compliance without excessive disruption. His feedback is that by and large good efforts are being made by business (although most of this is in the background at the moment). My key take-aways were:
The new directive puts extra emphasis on ensuring the user is ‘fully informed’; text on a privacy page buried deep in the site (that your analytics will tell you no one views) is not sufficient. Getting this consent does not have to be too onerous however. The often quoted explicit consent example using the ICO’s own website is overkill for a lot of situations. Depending on your circumstances, implied consent (inferred from actions) will be sufficient (if you are confident your users are fully informed).
It should be added that BA.com currently uses 29 different tracking beacons on its site, therefore it has a greater task than most to get its users fully informed.
The directive provides an exemption for cookies that are deemed ‘strictly necessary’. The classic example is a session cookie that enables the site to remember you have items in your shopping basket as you move from page to page. The ICO have repeatedly stated that this exemption shouldn’t be relied on.
26th May 2011
When the regulation came into law last May the ICO issued a statement that there would be a 12 month grace period. At the ICC session Dave Evans clarified that when this grace period ends they will review their enforcement approach. He pointed out that they will NOT be issuing enforcement notices on the 27th May 2012. Indeed he was at pains to point out that he cannot think of a case where use of analytics cookies would result in a monetary punishment. In terms of what would trigger action it was suggested that only activity that is wilfully misleading and generating a large number of complaints would do so.
Last year’s comments by the Department of Culture Media and Sport (DCMS) encouraged some to think that this issue would be fixed by the browser makers. A DCMS statement (sent in absence of a representative) is very clear that this will not be the case “…improved browser settings will not by themselves equal compliance”.
How to become compliant
For UK businesses the ICO want you to have a plan in place by May 2012 – not implemented just the plan. To get there they say you need to 1) audit your activities to understand what cookies you and your partners are issuing 2) assess how intrusive each of these are and 3) decide what approach is required to obtain consent.
For UK Marketing Managers cursing that this is another hurdle to overcome, just be thankful that you are not in the Netherlands where the current interpretation is that you must prove user consent.
Following this news story an opinion piece by our analytics consultant Paul Cook will be published on the Blue Latitude blog later in January 2012.