{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

I’ve been on record a number of times saying that I think the EC Directives relating to cookies are fundamentally flawed. We could make a parallel with the current UK/EU Euro ‘situation’ but let’s not go there. In the UK the Information Commissioner’s Office (ICO) has a duty to enforce these directives and, as they say, “This isn’t going away. It’s the law.”

Yesterday the ICO released its updated guidance for UK website owners. You can download the PDF from the link in the news release. 

Given the tough task of interpretation, guidance and enforcement that is the ICO’s duty, I have to say that I think this document is a valiant and comprehensive effort given the task and I’d commend them for this. I would urge you to read it for the full details. It is clearly written and quite practical.

Below are some of my initial thoughts on reading this latest guidance.

Responsibility for educating users about cookies is being devolved to site owners.

My overriding feeling having read the report is that it is clear that whilst everyone, including the ICO, recognises that users don’t understand cookies (nor do they probably want to) and that there are, in my view and many others’, better solutions on the horizon (e.g. browser settings), we are about to hit a point where all website owners are going to have to deal with the inevitable pain of trying to educate users about cookies

I see no indication that any government, EU or national, or any particular body or association is going to take the (financial, mostly) responsibility to educate users at any scale. 

Indeed, it would be very hard to do so. However, there are parallels where this sort of task is being done e.g. the switch off of analogue TV in the UK which Ofcom is currently ‘marketing’ at scale. But the internet doesn’t deserve such treatment? 

So those of us who run sites are going to have to force it down our users’ necks and, maybe if we did it all at once, then the medicine will be bitter but swift and we can all move on. Maybe.

There are still some areas which appear near impossible for compliance.

The report mentions, almost in passing, that devices like mobile phones, internet-connected TVs and gaming consoles are covered by these directives and the same level of compliance is required as for websites. 

Not surprisingly the report doesn’t go into much detail as to how, practically speaking, you would be expected to implement such compliance on a mobile phone let alone a TV. It has got user experience train wreck written all over it. 

Also, third party cookies remain a nightmare from a compliance point of view. The report says ‘this is one of the most challenging areas’. You’re not wrong there. Even if one discounts the obvious challenges around cookies for third party analytics, targeting and so on, what about all those embedded YouTube videos, those embedded Slideshare presentations, not to mention any kind of widget, social log-in button, etc, all of which want to set cookies? 

The whole internet experience is becoming even more ‘networked’, embedded, atomised, API-ised. Trying to separate ‘first and third party’, even what constitutes a ‘single website’, is increasingly impossible. And, as with analytics tracking, there seems to be very little evidence to me that the users we’re supposedly ‘educating’ for some benefit really care or want these complexities explained.

Woah! The “that’s-going-to-be-interesting-to-see” bits

A few parts stood out for me that throw up a lot of big challenges:

  • Essentially it seems that whilst there is a lot of talk about ‘shared responsibility’ (= unworkable), it is site owners who have to take responsibility for informing their sites’ users about third party cookies. The report even suggests to those third parties that they write into all their contracts that it is the site owners’ responsibility to ensure their users are informed, and consent to, the third party cookies. So I assume the likes of Facebook, Amazon, Google, Apple etc. will all abrogate responsibility legally to the rest of us and it’ll be our job to explain what exactly Facebook is doing with cookies when our users log into our sites using Facebook Connect, for example? What fun.
  • Non-EU sites will still be expected to comply where there are EU users using their sites. I’m fascinated to see what the likes of Facebook and Amazon have to say about this. Amazon famously ignored pressure to adopt Visa’s 3D secure. Will the Americans laugh in the face of the EU? And if none of these sites comply then what will that mean for the rest of us who will be freaking out our users with these ‘unusual’ messages? And is everyone confident they can even accurately identify ‘EU users’?
  • ‘Device fingerprinting’ as a way of identifying a user is OK but cookies are not?! I’ve always thought that it has not been adequately clear what ‘personally identifiable information’ actually means. For me it means someone knows my name and where I live I guess. However, these Directives see cookies as ‘personal information’. I don’t. It seems, though, that device fingerprinting, is allowable. So are we just going to see a mass transition amongst tracking/analytics technologies away from cookies to device fingerprinting instead? Like the earlier moves from cookies to ‘Flash cookies’?

There are still plenty of grey areas or ‘loopholes’

Of course, I would not, could not, advocate site owners try to find ‘loopholes’ or ‘workarounds’. But it is necessary to try and see past the ‘could’, ‘might’, ‘in theory’ language that permeates this latest guidance to make decisions on what we actually do. 

The report does give a lot of very useful guidance on practical steps in section 10. None of this is that new and we have covered it before but it does outline the steps that organisations must take to be on the safe side of compliance. 

However, the grey areas or ‘loopholes’ that I noticed were as follows:

  • A distinction is made between ‘subscribers’ (those paying for the internet connection) and ‘users’, where the former’s preferences might take precedence. A single ‘subscriber’ in a household, therefore, might be able to determine cookie opt-ins on behalf of the whole household? More interestingly, in a work-based internet usage scenario, “… it would not seem unreasonable for the employer’s wishes to take precedence". Given most usage of the Econsultancy site is at work, does this mean we’re a bit more exempt from compliance? (Intranets, by the way, are deemed to be exempt, at least by the UK’s ICO). 
  • It is allowable to ask consent for *all cookies you use at once*. Yes, you have to explain what all those cookies are and what each one/type does. But we all know that no-one reads those explanations. People see an annoying tick box thing and probably make a fleeting judgment on whether to proceed or not. If the main message here is "Consent to cookies so we can save your settings" and the detail contains “useful information on the benefits to you of behavioural targeting” then you can imagine you’ll get a lot of consent. If, on the other hand, the main message conveyed is “Consent so we can target you behaviourally… honestly it’s a good thing, and, in any case, you’re getting this for free so we’ve got to make money somehow…” you can imagine consent levels will be less good. So essentially it appears possible to use ‘Trojan Horse’ cookies to sneak the more ‘evil’ ones through in the small print. Clearly this absolutely isn’t in the spirit of the guidance but appears allowable.
  • In a similar vein to the above it appears you can retro-actively add new cookies, or alter the function of existing cookies, without re-seeking as explicit consent as you require the first time around. The language is vague here and clearly this would be a bit ‘sneaky’ but there is nothing explicit around requirements for re-consent if you change your cookies. We might see some ‘bait and switch’ cookie consent tactics going on?
  • It is pointed out that where users log into your site it should be relatively easy to ask them for consent to cookies. Though this will need to be done *separately and in addition to* your usual T&Cs. So I’m seeing two checkboxes rather than one. This seems reasonable. However, it is much harder to get consent from anonymous users. And it is now no longer acceptable to take the user’s browser settings as ‘implied consent’. However, if you show some kind of message or notice (that needs to be suitably ‘distinguishable’, ‘prominent’, ‘positioned correctly’) and the user neither consents nor disagrees i.e. takes no action at all (which seems very likely) then this can be taken as implied consent. So I suspect we’ll be entering an era where there is some mechanic/user interface which is deemed ‘prominent enough’, that users will likely learn to ignore, and that will be enough to comply for non-logged in users. This will be important for a lot of publishers.
  • “The level of consent required for any activity has to take into account the degree of understanding and awareness the person being asked to agree has about what they are consenting to.” Does this mean, for example, that Econsultancy’s user base of internet-savvy professionals would need a lower level of consent?
  • The “Google Analytics Exemption”? The final page of the report contains guidance on the use of analytical cookies. Whilst it is clear that analytical cookies (for many this means Google Analytics) are covered by the directives, the wording here suggests that if you are using such cookies in a “non-intrusive” way (and Google have always been *very careful* not to associate Google Analytics with any personally identifiable information – indeed you are not allowed to under GA’s terms of use) then “.. it is highly unlikely that priority for any formal action would be given…”.  I read that as “we’ve got better things to do than go after people using web analytics”’. 

I think it is clear enough what organisations need to do, albeit there are still areas of compliance that are going to be very problematic from a user experience viewpoint.

Those hardest hit are large media properties that have mostly anonymous users and rely on technology-driven targeting for advertising optimisation as these are deemed the most ‘intrusive’ cookies. However, there are a number of ‘get out clauses’ for these players, most obviously the surprising apparent allowance of device fingerprinting technology for user identification.

What do you make of it all? Which areas concern you most? Let us know in the comments below...

Ashley Friedlein

Published 14 December, 2011 by Ashley Friedlein @ Econsultancy

Ashley Friedlein is Founder of Econsultancy and President of Centaur Marketing. Follow him on Twitter or connect via LinkedIn.

86 more posts from this author

Comments (26)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

Simon burgess

Brilliant useful summary Ashley

This is the interpretation of the ICO themselves so presumably a guide to best practice

The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

Far from ideal. "on your computer to improve our website"

over 4 years ago

Lord Manley

Lord Manley, Solutions Consultant at BloomReach

I am nervous of the analytics exception.

My reading of this is that if you are Brian's Cheese Shop you are fine, but if you are a large brand or a government agency this exception is not really a safe bet.

over 4 years ago

Avatar-blank-50x50

Rufus Bazley, Marketing Manager at Private Company

If you use the ICO as you guide of how to do it and best practise, the interesting thing is you don't seem to need a opt out of cookies option in the notice but instead just an “accept” with tick box so the notice is hidden.

That to me would imply you're free to do the same on your own site, as long as in your privacy policy there are some details on how to remove the cookies.

Working on the fact if the notice is ignored you can count this as implied acceptance this all see a little... well pointless really

over 4 years ago

Jonathan Kay

Jonathan Kay, Managing Director at 120 Feet

Great summary Ashley - thanks.

Re The “Google Analytics Exemption”, when will they start going after people? Will it be if you're using analytics in its widest sense to look at retargeting, MVT, merchandising, site search, targeted surveys etc, even if the data is still in theory ‘anonymous’ and used for analytics and analysis, albeit sometimes in an automated way?

Be great to see a clear-cut definition of what exactly an "analytics cookie” is and isn't. And, is it non-intrusive if the visitors doesn't know it’s happening?

It’s going to be a big mess, and Simon’s comment shows how even a simple explanation from experts in legal interpretation can go ‘wrong’.

over 4 years ago

Avatar-blank-50x50

Steve Corney, Senior Digital Marketing Manager at Lexis Nexis International

So it's moved from being an EU Directive that was aimed at the nefarious (or at least intrusive) use of tracking data regardless of the method obtained, to a law that has somehow transformed to focus on cookies while exempting other methods like device fingerprinting?

In other words, all the valid concerns the law was supposed to address now have a relatively easy loophole to exploit whilst the 'rest' of the web incurs pointless and costly effort as the legislation is enforced.

I can't help but feel this is a colossal waste of time and effort all round. There's a reason many other EU states haven't been in a rush to force this idiocy through.

over 4 years ago

Paul Cook

Paul Cook, Director at NCC Web Performance

Hi Ashley, the problem we see is that most websites with a tag management platform will have placed tags from different vendors natively all over their site and throughout each page. This makes it practically impossible to set rules as to which tags are served to people who have and have not opted in to receive cookies.

Our clients have identified this and a blog post last week explains how this works: http://blog.tagman.com/2011/12/the-state-of-privacy-do-not-track-and-why-you-need-tag-management/

In short, you need the ability to set rules when to serve tags based on each person’s privacy choice. This is impossible unless you are utilising a decent tag management platform enabling the use of business rules based on the user preferences.

over 4 years ago

Lord Manley

Lord Manley, Solutions Consultant at BloomReach

@Rufus: The ICO website does not set cookies until you accept, so you could do the same, but your tracking, analytics, attribution and CRM would be decimated. As theirs has been. I assume we have all seen the graphs of their data following implementation?

@JK: The word 'intrusive' refers to how far it intrudes on privacy (so how attributable or detailed it is) not how much the cookie intrudes upon the user experience.

@Steve: Other member states are taking this up and those which are not are facing prosecution.

over 4 years ago

Avatar-blank-50x50

lawrence shaw, Marketing at Sitemorse Ltd

A nice summary of quite a complex matter, thanks Ashley.

There are a number of key questions yet to be answered, at EU level and locally in the UK - especially around actual enforcement. We are looking at the legalities of device 'acceptance' against the ability to actually record individual acceptance.

The definition of 'essential' is somewhat open to vast interpretation.

The ICO have a very clear and useful starting point around actually knowing whats on your site and reporting - perhaps the ICO would be more comforted if more sites started to do something, along with a consistent and simply way to actual allow visitors to review what cookies were on a site and why.

As Cookie Reports, we are working across a number of member states, and the is another level of confusion / complexity around the requirement for actual 'prior' consent - with some requiring (UK) and some not.

We have a paper offering a breakdown of the local requirements I'm happy to share.

This also then begs the question around 'fair and open market' - if UK business are being unfairly restricted in their operations and capability, a question over the enforcement would prevail.

Anyone who would like a free summary for their site, please drop me a line - happy to provide.
lshaw (a) cookiereports.com

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Lord Manley - yes, obviously this isn't an official analytics exception and BigCos no doubt need to be seen to be doing the 'right thing'. It's going to be like the Millenium Bug all over again. Plenty of consulting opportunities! Not sure whether Google have published any official guidance/interpretation etc. their end?

@Jonathan/Steve - broadly, yes, I agree it's one big mess! Whilst they couldn't possibly say so I think the UK's ICO isn't necessarily comfortable with what it's being forced to enforce. I think there is a strong 'political' element to all of this - the French and Germans, in particular, are much stronger on privacy in their national laws than the UK.

@Paul - so this is all good news for TagMan? ;)

over 4 years ago

Andrew Nicholson

Andrew Nicholson, Founder at The Guku

I foresee serious implications for early contact marketing automation systems. How do you pointscore an anonymous user without cookie technology?

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Andrew - guess you could use 'device fingerprinting' instead of a cookie. Or you'll have to persuade users to accept the cookie using one of the more, or less, 'cunning' techniques I suggest above.

over 4 years ago

Andrew Nicholson

Andrew Nicholson, Founder at The Guku

I have to admit to being impressed by those particular techniques @Ashley. "So cunning, you could stick a tail on it and call it a weasel!", as it were.

over 4 years ago

Avatar-blank-50x50

Paul Quinn

Good article Ashley, thanks.

I would have to agree with Manley on the 'analytics exception' though.

Anybody, who is particularly concerned about their company reputation with regards to regulation will have to comply and gain consent for cookie-based analytics. I hold this view not because of what I do but because it's what I believe will happen.

over 4 years ago

Avatar-blank-50x50

Richard Beaumont

One of the important messages that came out I think was that companies are not expected to get it perfect, but they should be seen to be working towards full compliance.

At the Cookie Collective we believe that what will emerge from this is a new level of transparency between business and consumers. Those brands that will win out will be the ones that find a way to deliver increased value to consumers in exchange for their consent.

In terms of mechanisms for consent, our approach is both simple and applicable to almost any website: http://www.cookielaw.org

We don't think it will end there though. We are already working with clients on how to build a range of consent mechanisms and incentives - and this will be a very interesting area throughout 2012.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Is your telephone number personally identifiable information? It is just a string of digits and does not contain your name or address, but a simple database (reverse directory enquiry) lookup can get that data. It is the same with cookies.
Browser fingerprinting is not currently illegal because no information needs to be stored in the browser. Some techniques being put forward such as using downloaded javascript to recognise keystroke patterns etc. are probably illegal, but simply using the IP address is not.
One can expect the law to change though when IPv6 becomes prevalent. At the moment widespread NAT and IPv4 ,means IP addresses are not specific enough to identify people but with IPv6 this is no longer the case.

over 4 years ago

Avatar-blank-50x50

Meriel Lenfestey

At Foolproof we’ve been doing a lot of work with major clients on the cookies directive and general I think you’ve produced a good summary. However, I’m not sure I can agree with your interpretation of 2 of your loopholes.

Seeking consent for all cookies is allowable but the report states on page 17 that “Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant”. I’d suggest that sneaking ‘evil’ cookies into the small print is relying on users’ ignorance.

I don’t agree that ‘bait and switch’ will work. The guidelines are explicit on page 22 in saying “if the purposes of the cookies you use changes significantly after consent has been obtained you will need to make users aware of the changes and allow them to make the choice about those activities”.

I find it useful to think of the directive as requiring consent for cookie purposes rather than individual cookies. A single site may use hundreds of cookies (like our clients), but they actually only need to gain consent for 3 or 4 purposes. If new cookies are needed which fit into a purpose for which consent has already been provided, then there’s no need to seek additional consent. However, if an existing cookie is to be used for a new purpose for which no consent has been given, consent must be gathered again.

over 4 years ago

Robert Easson

Robert Easson, PRODUCT MANAGER at Phaidon Press Ltd

It would be good if E consultancy could keep a regular update going on this particular issue. The amount of confusing and different "interpretations" of what acceptable cookie usage is and isn't, is turning us lowly e commerce folk into more than regular customers of majestic.

Following a seminar on this very topic today with guidance presented from the DMA, I was given the impression that even if I was Brian of said Cheeseshop, then all cookie usage was to be disclosed by an awful opt in form/toolbar/pagepeel, which is bound to impact hugely on the business of making a websie do it's job properly and for the benefit of users. (apart from the BBC who will most likely be exempt!

Grr i feel the pull of a bottle of kardonnay coming on.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Robert - I fear it's currently a train wreck in slow motion. Most of us are still hoping to just 'hide' and hope it goes away. Maybe the lobbying dollars of the big internet companies will make a difference somehow in time? (like with SOPA in the US)

I did have a discussion with a tech company + lawyer the other day about us jointly coming up with a service whereby you could see what cookies you had (tech audit) and then we could do a table/grid showing whether your cookies were 'good, bad, or in the 'open to interpretation'' area.

The trouble is that no-one really wants to be giving legal advice on this (except perhaps lawyers and even they're not sure) least of all Econsultancy!

over 4 years ago

Avatar-blank-50x50

Steve Corney, Senior Digital Marketing Manager at Lexis Nexis International

Ashley - is it conceivable that eConsultancy could use its collective digital prowess and dedicated following to start a petition/campaign against this idiocy in the same way as various parties did with SOPA in the US.

Outside of the digital sphere most people have no idea about this ruling, or the impact it will have on the sites they use, and how damaging it could be to the businesses who rely on internet sales.

The wider effects also haven't been widely documented. From a B2B perspective, the difficulties now associated with nurturing a prospect to sale suddenly become far more onerous. Won't this lead to a rise in cold calling tactics as companies become desperate to reach targets? Who in their right mind wants that?

over 4 years ago

Lord Manley

Lord Manley, Solutions Consultant at BloomReach

I do not see the problem with giving advice on this regulatory directive - it really is not as scary as everyone is making out, more 'inconvenient'.

Change is never fun, but this really does not need to be more than a minor issue for any website - sure there are business decisions to be made, but once a decision is reached the actual implementation is fairly painless and the reciprocation minimal.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Steve - too late to petition... it's happening.

@Lord Manley - what we're keen to do is capture/benchmark and report on examples of how people are actually implementing this from an interface/mechanic/design/UX point of view. We're really struggling to find any examples yet (excluding ICO's own site). You know of any?

over 4 years ago

Lord Manley

Lord Manley, Solutions Consultant at BloomReach

@Ashley - I know of plenty in the pipeline (some which I like, some which I hate) but none which are completed.

Essentially, this is the joy of a phased approach - many of my clients have audited their cookies, html5 local storage and LSOs, assessed their existing levels of compliance, rated the extent to which these are intrusive, removed unnecessary or obsolete examples, updated their cookie policy to be more detailed and informative, assessed alternate options for obtaining informed consent and begun to develop strategies (or, in some cases, got as far as staging with solutions).

It is important that this is implemented appropriately, however, and the ICO's decision to allow us to develop these solutions in a staged manner like this means that we have not had to rush things through the door and we can take our time about ensuring that what we do provide is appropriate to the market, adheres to the directive and does not destroy the user experience.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Lord Manley - all good points. However, the fact that no-one has actually yet set live their new opt-in mechanics suggests to me a) they think it'll make the user experience worse so they'll leave them off until D-Day and b) no-one wants to be the first to break cover (although could be a good PR opportunity?) and c) people are still sort of hoping something will change so they don't actually have to implement anything. I suspect many will have some initial 'mock ups' ready just in case anyone comes knocking and they can then show 'progress' (a defensible position).

over 4 years ago

Lord Manley

Lord Manley, Solutions Consultant at BloomReach

I could not disagree. In fact I would suggest that it might even be a sensible approach being, as you so rightly point out, eminently defensible.

I do know of some brands who are actively developing, however, so there will be examples to be seen fairly soon.

over 4 years ago

Avatar-blank-50x50

kevin mason

Does this mean that if a visitor doesn’t accept cookies but chooses to go into the site, every page will have to ask them to accept them, as we cant save a cookie saying they don’t want cookies

over 4 years ago

Avatar-blank-50x50

Allan Gourdie

As a technologist and small business owner I rely on dozens of legitimate 3rd party products, many of which would become unusable without cookies.

I think the cost of complying with the law by altering all software and 3rd party products will be immense and put many hard working small online businesses out of business.

Its difficult enough to improve your site when you can see what people are up to with analytics. But trying to do it blind is completely impossible.

Kevin has made a very good point that almost all software will require to store your preference to not use cookies, as a cookie! Otherwise, the very next page you go to will have to ask again!!

All this to solve the problem of 3rd party ad networks following you around with the same ads!

about 4 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.