With just over three weeks to go before the EU Privacy Directive comes into force in the UK on the 26th May, it is clear that the official response is still in flux and as we get closer to the deadline, the solutions to the requirements from both private and public organisations are becoming more pragmatic.

Is ‘Active Opt In’ the best approach?

Recently, I attended The Association of Online Publishers (AOP) Forum  ‘Preparing for the EU Privacy Directive’, where we heard from David Smith, Deputy Commissioner and Director of Data Protection for the ICO.  He informed us that they would be issuing their third version of their guidance at the end of May and he gave a strong indication that implied consent is acceptable for analytics cookies.  When questioned in the panel session, he said the ICO’s own response was ‘whiter than white’ but warned against using their site as a model (i.e.: the banner with active opt in), as there has been a terrible loss of data.  This relaxed and pragmatic response was also reflected in a Q&A with the The ICO’s Dave Evans on EU cookie law compliance, published on the 24^th April, where Evans admitted that ‘we don’t know what compliance will look like in a year’s time. There are lots of gaps here, and we want people to fill them with good practice’.   Less than a week later, Dave also gave an interview to Marketing Magazine, following his presentation at this year’s Audit Bureau of Circulations (ABC) Interactive event, where he called for more transparency with web users, explaining: “A lot of the complaints we get at our office are not from people who are aghast at what companies do, they are just shocked that no-body explained it to them.”

UK government stipulates web analytics are ‘essential’

When the UK’s Government Digital Service (GDS) published the Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites , earlier this month, they argued that web analytics are “essential” for the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”.  For further analysis and commentary on their stance, take a look at the excellent blog post by Glynn Davies on Econsultancy, where he summarises that ‘the GDS seems set to take a gamble that the ICO won’t crack down on analytics …and unless the GDS change their view (or are required to change it after May), the rest of us can at least continue to be hopeful that our analytics are safe for now. ’

Getting users to selectively opt in/out of groups of cookies: how is the private sector reacting?

But what are others doing in the private sector? BT has been applauded for their approach, deploying an overlay at the bottom right of the screen via which users can selectively opt in/out of groups of cookies.  Their language is reassuring and gently persuades users that by ‘doing nothing’ they get the best possible experience.  If the user decides to change settings, they are offered a good slider device – with 100% opt out, the slider is moved to the left and again the language is jargon free and doesn’t explicitly mention ‘web analytics’ but does mention ‘improving the overall performance of the site’:

Reuters adopt a similar approach and link to the frame/overlay provided by Evidon (the largest dedicated provider of privacy and compliance solutions for digital media).

But what is the user response to the opt/in solution? US statistics suggest low take-up of opt-out (0.001 click the icon, only 2% then opt-out) and Google also highlight that of the small percentage of people that interact with ad preferences manager, 7 out of 8 make no change.

Taking action; being more prominent and improving the information in your privacy policy

At the very least – having viewed the documentation, available advice and undertaken a cookie and privacy audit – organisations should be focusing on the user’s privacy.  It is a privacy directive after all and its ultimate aim is educating consumers and allowing them to make informed choices on how their data is used.   This can be done by giving a more prominent link to the privacy policy on your site and improving and updating the information within the policy itself – making it clear, transparent and as comprehensive as possible.  The approach should be less about being hung up on the technology and law and instead focus more on the end result of having clear policies and users having a good grasp of your online privacy. A good example of this would be John Lewis.

The Commercial Impact of the EU Privacy Directive

Interestingly, the final takeaway from the publishers at the AOP Forum was that – so far – their commercial operations do not seem to be affected and they will not lose revenue when the new law comes in.

The ICO’s Dave Evans also explicitly states in the aforementioned Q&A article that ‘the law does allow us some leeway, and if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent.’

Let’s hope that this sentiment of ‘Keep Calm and Carry On’ (as set out in our first article on the topic) continues to reign.  Recent analysis by online customer data platform QuBit said that if both site owners and regulatory authorities did strictly interpret the law, the cost of compliance could cost the UK economy up to £10bn, coming directly from lost sales and damage to existing technology and advertising businesses, as well as the migration of online businesses overseas as they look to avoid the cost of compliance.

–