There has been a huge amount of interest within the Econsultancy community around the EU e-Privacy Directive, sometimes rather misleadingly referred to as the ‘EU Cookie Law’ (as it doesn’t just apply to cookies). This is not surprising as the deadline for compliance with the directive in the UK is May 26th so less than two months away.
People have been asking "So what is Econsultancy going to do on its site?", and "What do you think is best practice?", and "Will Econsultancy.com be compliant?". Today we have set live our ‘solution’.
(UPDATE, 18 April 2012: Our new report, The EU Cookie Law: A Guide to Compliance, explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, and includes examples of how websites can gain users’ consent for setting cookies. Do check it out.)
What we have done
1. We reviewed the documentation and advice available (see 'Useful Resources' at the bottom of this post).
The main takeout from these for us was that there appears to be a gap between what is actually compliant with the Directive and the likely level of enforcement or action that the ICO will take. Specifically, we believe that the likelihood of any fine seems to be confined to those openly abusing their users privacy.
2. We did a cookie and privacy audit
There are three points to mention about doing this.
Firstly, it is a good thing to undertake an audit irrespective of the Directive. You may well find there are scripts or tracking being used that you don't actually use or need anymore. Removing these, or tidying them up, may well improve the accuracy of your measurement and analysis. It should also help speed up page load times.
Secondly, if you use a simple tool like Ghostery, don't expect to pick all the cookies/scripts that you are using. Ghostery works at a page level so you will likely be using cookies or scripts on only certain pages of your site. Unless you visit all the pages of your site you won't find all the cookies/scripts. For example, a lot of tracking sits on the checkout confirmation page typically. You are unlikely to visit this page on your own site; equally, tools that crawl/spider your site are unlikely to be able to access secure areas like this. So you need to use tools but also check with your web dev team and suppliers/agencies to try and find all uses.
You can see it top right in the site header above the site search. The text isn't quite white but grey. It isn't that large. Is it prominent 'enough'? Who knows. There are various ways of implementing this (see examples below) and we'd like to see some protocols established, or best practice at least, to help site owners, and users, know how best to implement this from a design and user experience perspective.
You can read that content by following the link to the policy in the top right of the header. We'd love your feedback on it as, again, we'd like to try and establish what good practice looks like in terms of creating policies that are helpful to users (and that work for site owners too).
We have tried to make the content as 'plain English' as possible, at least given our target market who are typically quite savvy, and also to be as comprehensive and transparent as possible. We have only grouped cookies into two broad categories. Other sites (see examples below) have gone further in their segmentation/description of cookie types.
From our understanding of the Directive, our solution is not strictly compliant because there is still no informed, or active, consent. And, as yet, we have not provided any options to selectively opt in/out of particular cookies: this is still up to the user. However, it is also our understanding that this solution is highly unlikely to be ‘actionable’ by the ICO and even less likely to incur a fine as we are clearly not trying to abuse our users’ privacy.
Why we have done it
To be honest we haven’t done this out of a fear, or desire, to ‘comply’. We have done it partly because we believe it is a good thing for site owners and their users to have clearer policies and information on privacy.
However, we are most interested in educating the industry about best practice in digital marketing and e-commerce, so we are motivated by trying to understand, and build consensus, around what ‘best practice’ is in this area. Whilst we certainly do not claim that our implementation constitutes 'best practice' we are keen to hold it up as an example, a straw man, which can be critiqued, iterated, and referenced.
We welcome your comments, thoughts, and feedback below.
Other examples to look at
We're very keen to help establish best practice, or guidelines, in this area. Rather than debating the theory, or the law, we feel it is perhaps most helpful to see actual examples of implementations that you can then adapt. Note that actual implementations can only be 'judged' by the ICO, as far as compliance goes. We, along with a few brave others, have deliberately set live our approach before the May 26 deadline in order to give others further time to see what everyone else is doing.
I'd say there are currently three broad levels of approach:
Level 2 = user can selectively opt in/out of groups of cookies
Examples: BT (overlay bottom right that disappears, 'slider' for cookie opt out/in); Magiq (selective opt out/re-opt in); Reuters (this links to the frame/overlay provided by Evidon on the Reuters site)
Level 3 = active opt-in
Examples: ICO - still the only site we've found so far that has this.
My reading of the Directive would be that only Level 3 is strictly-speaking compliant.
Phil Pearce, an Econsultancy member, has kindly collated 20 implementation examples which you can download as PowerPoint show (.ppsx).
- Econsultancy articles with very useful comments from the community – shows a list of articles on Econsultancy on this topic with the most recent first.
- (PDF Download) Implementer Guide to Privacy & Electronic Communications Regulations – from the UK Government’s Digital Service.
- (PDF Download) Guidance from the UK’s ICO.
- (PDF Download) Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies from the ICO and Ed Vaizey, Minister for Culture, Communications and Creative Industries.
- (PDF Download) The actual Directive 2002/58 on Privacy and Electronic Communications itself.
- W3C’s Tracking Protection Working Group – working on browser-based solutions to privacy.