The EU e-Privacy Directive and subsequent ICO guidance is complicated and confusing enough when you look at desktop sites alone, but then there's the question of how it translates to mobile.
To recap: the 'cookie law' covers the use by businesses of information stored on users' 'terminal equipment' and this covers mobile sites and apps as well as desktop sites.
In a new white paper, Mark Brill from the DMA has bravely attempted to untangle some of the issues around mobile and the cookie law.
I've looked at some of the recommendations from the report, and the threat that the e-Privacy Directive poses to mobile marketing and m-commerce...
I asked the DMA's Mark Brill about the issue of mobile and cookie consent:
What are the unique challenges for complying with e-Privacy guidelines on mobile when compared to desktop?
As convergent devices mobile, and smartphones in particular, cut across many channels and technologies.
Whereas desktop is largely concerned with browser based cookies and email tracking, in mobile we also have to consider apps and other tech channels.
Mobile is both a personal and unique device, so brands need to take particular care around user permissions in this channel.
Online businesses are concerned about bounce rates caused by consent mechanisms, but surely this is an even bigger problem on a smaller mobile screen?
Besides simply the screen size, there are many UX issues with mobile. Touch interactions, location and even user intent make mobile quite a different experience.
Concern with bounce rates from pop-ups is completely understandable, but there are many mobile UX solutions yet to be explored. The BT permissions slider is an example of something that might work well on mobile, but hasn’t yet been tried.
In the white paper we’ve mentioned the use of short form versions of cookies policies which can be used in apps and mobile sites.
There are few great examples of brands executing mobile web well, so there is a lot more that can be done to create a good user experience. They therefore need to explore new ways to get consent on the mobile web.
The problem of obtaining consent for cookies on mobile devices
Essentially, the problems are the same as for desktop, but trickier thanks to smaller screens and the number of different devices.
In a recent Econsultancy/Toluna survey, just 23% said they would happily give consent to online cookies. It's likely to be much less for mobile.
Brands have been working hard on their multichannel strategies over the past few years, and now retailers like John Lewis and M&S offer ease of access and purchase across different channels.
This potentially places a spanner in the works of a retailer's multichannel strategy, and the same principle applies for users switching between work PCs and laptops at home for instance.
As the customer switches between devices they will see the same consent messages, which could becoming annoying, as the customers sees only one retailer asking them the same question again and again.
There is little retailers can do about this, unless customers log in every time they visit.
Mobile cookie consent and the user experience
As on desktop, there is, as yet, no browser-based solution to consent, so until (hopefully) the browser firms ride to the rescue, there is a real threat to the mobile experience.
If firms are forced to strictly comply and actively seek mobile users' consent for cookies, it's easy to see how the poor experience could decimate mobile sales.
Pop-ups and intrusive messages are a pain on desktop sites, but you can multiply the annoyance factor by about 20 if you apply these to mobile sites.
For example, BT's slider too is an excellent method of informing users about the cookies that are being used and allowing people to opt out of certain categories, such as cookies used for targeting.
It needs to be relatively detailed in order to provide the information and the cookie settings options, but it's hard to see how this could be applied to mobile.
At the moment, it's impossible to change settings on mobile (at least on iPhone), but even if the slider actually worked, you can see how fiddly it would be to alter settings.
Options for gaining consent for mobile users
For SMS and MMS, as there is no information stored on the user's mobile (their terminal device), this does not fall under the regulations.
Landing pages for consent
The only way to gain consent, strictly speaking, is to direct visitors to a landing page, where users can be asked to give consent for cookies.
After giving consent, they can then be sent to the page they wanted to go to in the first place.
Obviously, this will be annoying for customers. After seeing a page they didn't request, then having to fill in a form or answer a question before they can head to the site, many will undoubtedly abandon.
Speed is vital for mobile sites, and anything that means more pageloads will be bad for business.
Consent through registration
For repeat and engaged customers, this may not be a problem.
Registration does generally make mobile purchases easier, as it allows for saved billing details, but for new customers, compulsory registration could be the kiss of death.
It is fair to assume that compulsory registration is as big a barrier for mobile commerce as it is for desktop. In fact, it's likely to be worse.
In this case, strict compliance would mean asking users to register before they visit a page on the site.
The only e-commerce site I have ever seen ask for registration before even adding products to the basket is Playmobil, and that site is nuts...
Asking new visitors to register before browsing the mobile site would be absolute madness, and therefore very few (if any) retailers will do this.
Though not strictly compliant, this is the only real way to inform users about cookies without destroying the user experience.
If after viewing this, users wish to opt out, they can do so via browser settings.
This means that those who want to opt out are able to do so, but it doesn't harm the user experience for others.
Also, companies would be able to argue that they have provided this information and given them the option to view further detail.
Indeed, in a recent interview with the ICO's Dave Evans, he did think that implied consent would be acceptable, in some cases at least.
Mobile and web apps
Since the user is actively downloading an app, the problem of consent is simplified.
According to the DMA's white paper:
While mobile native apps are not referred to specifically within the Regulations, they would be relevant where apps set cookie or other tracking technology on a user’s mobile handset, and are used by the marketing organisation to access information on the handset.
For new downloads of apps, the user can be asked to agree to a set of terms and conditions when downloading the app or when first accessing it.
This is much simpler than for mobile websites but, since the average user is unlikely to read T&Cs, it doesn't necessarily achieve what the EU directive sets out to do i.e. improve consumer awareness of privacy issues.
It gets trickier for existing users of apps, as they will not have given consent when downloading, and therefore they may need to agree to an updated set of T&Cs.
QR and barcode scanning
According to the DMA white paper, the act of scanning a code does not fall under the regulations, nor does delivering a barcode, such as a ticket, to a user's handset.
However, it is unclear whether a QR code which sent users to a landing page would be affected. In theory, if they land on a mobile site, that site would then need to gain consent.
Obviously, this wouldn't help to improve the success rates of QR campaigns.
NFC / contactless payments
It's early days for NFC and though the ICO hasn't produced any guidance, it does fall under the regulations.
According to the DMA:
Positive consent to the use of cookie or other tracking technology should be obtained before the first time the user accesses the file or app on the handset.
Just as for desktop sites, the cookie law is a headache for mobile marketers and those forward-thinking retailers that have developed mobile commerce sites and apps for their customers.
Since creating a great user experience is more of a challenge for mobile sites and apps, this EU directive presents a real threat to mobile commerce.
We have seen rapid growth in mobile commerce over the last few years, and there is still plenty of room fur further growth.
There are also plenty of barriers to providing a great user experience on mobile, such as fiddly checkout processes, variable mobile internet connections, difficulties in catering for different devices etc.
If strictly enforced, the EU 'cookie law' would severely hamper the user experience on mobile and restrict sales through this channel.
For that reason, I would be surprised if any retailer adds consent mechanisms like those outlined above to their mobile site, unless they absolutely have to.
I'd love to hear your thoughts on the cookie law as it applies to mobile marketing, especially the steps you intend to take towards compliance on your own and clients' mobile sites and campaigns...
(Our report, The EU Cookie Law: A Guide to Compliance, explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, and includes examples of how websites can gain users’ consent for setting cookies. Do check it out.)