Companies have been warned to show they are working towards complying with the EU cookie directive before it is fully implemented next year.
Speaking at digital privacy firm Evidon’s conference this week, David Evans of the Information Commissioner’s Office (ICO), said, “Companies need to start showing they are moving in the right direction as the directive has been around since May. As a regulator, we can point to lots of people doing different things, but do something is the message.”
The directive, which came into effect on 26 May 2011, giving companies one year to comply, requires businesses to get informed consent from their website users before storing or using any cookies or similar technologies.
This event was well timed to be about half way between when the directive came into play and when it will be enforced. In this time, there has been a lot of confusion, particularly around the definitions in the policy. These are still being interpreted at a local level, so the advice to show you are making some effort is spot on.
The best starting point is to audit your cookies and find out what you are dealing with, before then understanding the level of consent appropriate for what you require.
However, how to acheive consent remains a contentious issue.
Philip Milton, the Department for Culture, Media and Sport’s lead policy advisor for eprivacy and internet policy, said there is no silver bullet. “There is no one way to get consent,” he said. “It should be a package of compliance, a larger ecology of solutions.”
Companies are advised by the ICO to first work out exactly what cookies are being used on their websites, assess how intrusive they are and then develop a solution that fully informs consumers of what is happening, but without bombarding them with unnecessary technical detail at every stage.
Colin O’Malley, Evidon’s CSO, agreed that an ecology of solutions is needed to comply with the directive.
“It can be very challenging for companies,” he said. “Many say ‘I can’t be compliant until other units within the business are first’, but in the interim companies should make sure they have robust notices and choices, and clear communication devices that ensure they are going above and beyond in telling consumers.”
According to Rob Reid, senior policy advisor at Which?, while 75% of consumers are aware of cookies, only 50% actually have a good understanding of what they are, so more education is needed.
Reid said that there is a real need for consumers to better understand how cookies are being used, because 38% said it made them feel uncomfortable and almost half see it as an invasion of their privacy.
It was suggested that if consumers are given more information and increased control, their level of comfort will increase.
Nick Stringer, the Internet Advertising Bureau’s director of regulatory affairs, said, “Transparency is the key first step. It’s important to let people decide and let them make choices. Not everyone is going to want to know, but let’s give them the option.”