{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

While most digital marketers are making at least some preparations for the implementations of the EU's e-Privacy Directive, the vast majority see it as a negative step for the web.

Econsultancy has surveyed more than 700 marketers for their opinions on the EU cookie laws, and to find out what preparations have been made for the May 26 deadline. 

We have published the full results of our EU e-Privacy Directive Survey for you to download, but here are some of the highlights from the study. 

(UPDATE, 18 April 2012: Our new report, The EU Cookie Law: A Guide to Compliance, explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, and includes examples of how websites can gain users’ consent for setting cookies. Do check it out.)

What do digital marketers think of the EU cookie law? 

Not surprisingly, the vast majority of respondents don't see any positives in the e-Privacy Directive. Just 18% think the directive is a positive development for the web. 

In your personal view do you think the EU e-Privacy Directive is a good / positive development?

Respondents were also asked to leave comments, and here's a representative sample: 

Plain and simple - this change will KILL online sales....

It's a genuine attempt to manage privacy issues but it's created by politicians and fails to address the realities of doing business.

While I'm all for protecting privacy, the bit of this directive that applies to cookies has been ill thought out. Rather than try and analyse what cookies are actually intrusive, they've just 'banned' the lot! The lack of advice or guidance from the EU or Govt has made things worse.

It is positive in highlighting the use of cookies to users however I think the potential need for each site to gain permission from users is going to damage the user experience.

It's a travesty of an orchestra, conducted by Terry F***witt. They fail to discriminate between bad (multi-site/advertising/targeting) stuff and good stuff (me using Clicktale or analytics to help UX).

Are digital marketers aware of the EU Directive? 

More digital marketers have heard of the directive than you might think.

57% of our respondents have read the e-Privacy Directive, while 67% say they are aware of the date that it becomes enforceable in the UK. 

Also, 64% have read the guidance on the directive which was published by the Information Commissioner's Office (ICO). See Ashley Friedlein's article for our take on this guidance and what it means. 

Have you read the guidance from the UK’s Information Commissioner’s Office (ICO)?

Some thoughts from our respondents on the ICO guidance: 

It's like the blind leading the blind, sometimes it just seems that people in charge are so out of touch, it's sad.

Do they implement it properly themselves? Aren't they seeing a huge dip in their analytics just at the time they need to know? (Yes, they are)

Guidance from the ICO, although painful, is as sensible as it can be, given the absurdity of the EU directive

I feel the "guidance" was fairly useless in terms of how to actually deliver. Doing a cookie audit is as far as they will go, that's the easy bit!

Are marketers making preparations for May 26? 

The first step online businesses need to take to prepare for the implementation of the directive is to look at existing cookies on the site and to decide what is and isn't important.

According to our survey results, 54% have carried out a cookie audit in preparation for the deadline. 

Has your company done an audit of cookie usage in preparation?

It may seem like a simple first step, but that can depend on the type of online business. Some comments: 

This is a difficult task for many businesses, especially with no in-house tech skills, or where third party functionality (e.g. quoting engines ) is integrated.

We are in the process of doing an audit at the moment - unfortunately we have about 200 websites built by a variety of suppliers over the past decade so it's a long and arduous process!

Some respondents haven't audited cookies, and intend to defy the EU: 

We don't intend to (audit cookies). Civil disobedience in the face of atrocious law. Strength in numbers, who will they sue first?

Our entire business model is based on tracking transactions on our sites. We wouldn't be in in existence without them and we would disappear if we followed the directive.

We are going to wait to see what happens to other people on the basis that we'll be REALLY unlucky if it's us that gets prosecuted first.

However, others see this as a positive step:

We had way more cookies that we realised. In this regard the legislation has probably done us a favour from a page load perspective, if nothing else! It's also helped us push a container tag solution through IT.

Do marketers understand the options for gaining user consent?

Exactly how websites will gain consent from users to store cookies is the big question here. Just 39% say they have an understanding of the options for asking users for permission. 

Do you have a clear understanding of the user interface options to get consent?

The comments from respondents suggest that there is some confusion here.

Some are hoping for a browser-level solution to cookie consent, but the directive says that users need to give overt and informed consent, so the user experience does need to be interrupted in some way. It's the extent of that interruption that businesses need make a judgement on. 

There are a range of options for gaining user consent (we showcase three examples here) but there are pros and cons for each and the solution may well depend on the type of website and business model. 

According to Foolproof's Meriel Lenfestry

A site which only uses cookies which drive core features the user explicitly requests, e.g. shopping basket in an e-commerce site will probably be compliant without changing anything. This is true of very few online services. For the rest, it is not possible to comply without affecting the user experience.

The lack of a unified solution is a worry for some respondents, as they fear it will lead to much confusion for web users: 

My concern is that there is no industry use of consent and users will get confused if lots of different techniques are used. The simplest way to promote this is that users can opt out via their browsers.

It seems there are a number of ways we could do this and none of them particularly great. I worry that users won't read any notices properly, will disable cookies without really realising and then wonder why the website isn't working/as intuitive as it was before.

This comment says it all:

The option mechanics are simple enough. The issue is when/whether they should be used. They will scare people about something that is in most cases innocuous. Are we asking people that forcefully if supermarkets can profile shoppers, or if shops can monitor behaviour or if they are OK to be filmed on CCTV?

Do people really feel exposed and do they really understand how things would work without such business intelligence being gathered. Perhaps we should ask in the pop up "click here if you want to damage the economy, make the UK less competitive and risk unemployment and damage the UK's position as a top digital economy".

It seems that some respondents will simply wait and see what others do: 

..we will adopt the absolute legal minimum as late as possible - let other people go first and see what happens...

Do web users even know what cookies are? 

One major issue with this directive is public awareness of what cookies are and what they do.  

Cookies have existed on the web for years without any need for the public to be made aware of them. Sure, they are mentioned in the T&Cs on every website, but who reads them? 

Suddenly, web users will be seeing messages about cookies all over the place, accompanied with alarming references to tracking, privacy, and so on. This kind of messaging may make some users run a mile. 

This is a big concern for our respondents. Just 7% think that users will understand what cookies are. 

Broadly speaking, do you think web users will understand about cookies and the consent required?

The comments reflect this concern:

It's not just what users will see onsite...the negative PR around the directive from the mainstream press will result in people being more confused and hence rejecting consent.

As this comment suggests, perhaps the likes of Amazon (if it implements this) and Tesco will be more likely to gain consent: 

I think many will either "just say yes" or just refuse, without fully understanding either the privacy issue or how their user experience will be affected if they don't use cookies. It will really depend on how much they trust the brand of the site.

Any casual user is bound to say no to anything they perceive as spying on them. Analytics - no matter how important to us in marketing - falls under this category. This is going to decimate analytics - very literally looking at the ICO post-implementation figures in which 90% of their site users did not opt in to analytics.

UPDATE: We received the following comment from an ICO spokesperson:

The ICO has been clear from the start that the changes brought in by last year’s amendment to the EU e-privacy directive present challenges to the way UK websites operate, particularly with regards to their use of cookies. However the directive has already been passed into UK law and the ICO is working hard with industry bodies and other interested parties, to ensure that organisations operating websites in the UK are not only aware of the new changes, but are also provided with advice on how they can work towards compliance.

While it is encouraging that over half of companies have carried out an audit looking at how their website uses cookies, it is important that organisations who have yet to take action do so before the end of May, when the year long lead in period we have provided expires. Every website will be unique and therefore the ICO can not proscribe the actions every individual organisation should take, however our guidance provides information and examples which explain what compliance with the new changes looks like.

We will continue to update this guidance so that it incorporates best practice advice from the industry, where we believe it will help other organisations to become compliant.


Graham Charlton

Published 14 March, 2012 by Graham Charlton

Graham Charlton is the former Editor-in-Chief at Econsultancy. Follow him on Twitter or connect via Linkedin or Google+

2565 more posts from this author

Comments (48)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

Bertie Stevenson

TagMan's very own Chief Privacy Officer will be at Digital Cream tomorrow (15th March 2012) for those who want to hear how we are helping our existing clients comply.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

For companies needing to get cookie audits we have a low cost but detailed & complete automated service. http://cookieq.com/cookieq/purchase.
We also have a complete & already in use compliance service.

over 4 years ago

Avatar-blank-50x50

Andy Parker

The comment regarding CCTV is poignant, but is only reflective of one purpose for cookie usage.

You can't run websites without some basic form of cookie and this law makes no sense to anyone including those who are enforcing it.

Nobody cares. Unless you're working on a charity of government website you will not be wasting money and resource on auditing or implementing changes to your site's build.

over 4 years ago

Avatar-blank-50x50

Mark Steven

There's a kind of wilful misunderstanding of this issue that the advertising industry is doing little to help.

In theory, there should only be a couple of things that are negatively affected by the legislation:

- online behavioural advertising (OBA)
- the "return visitor" metric in analytics (though this can be addressed to some extent via other methods)

PPC / Display ad networks don't need cookies (with the exception of OBA) to measure click throughs or impressions.

For almost every other kind of cookie there is a solution: either an exemption under the regulations, a "moment of consent" - for example when someone explicitly sets a preference on your site, or a simple tweak to your code.

Big ad networks / Analytics providers such as Google are holding fast to the erroneous industry line ('a global "opt-out" option is enough'), and they're not doing anything to help webmasters comply - for example by engineering cookies out of their services.

Consent solutions are a pain in the proverbial, even the elegant Cookie Control (http://www.civicuk.com/cookie-law); but with a bit of thought, most offending cookies can be engineered out altogether.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

The results of this survey are hardly surprising and while I'm no fan I do recognise that as digital continues its significant growth so it also has responsibility to self-regulate.

It's useful I think to reference Deloitte’s recent Media Democracy report that stated only 16% of consumers are positive about their data being used for targeted advertising. As technology becomes increasingly sophisticated and targeting techniques honed so we risk a backlash.

We still have the ability to shape the message: doing nothing or positively rallying against it risks onerous, misguided and enforced regulation from outside our industry.

over 4 years ago

Avatar-blank-50x50

Steve

More people should go and have a look at the directive directly instead of relying on other people's interpretations:

EU legislation (EU Directive on privacy and electronic Amendment - 2009-136-EC)
Paragraph 66
"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy¬ware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible."

The legislation targets accessing people's PCs and phones - and some cookies will be affected
But not all. You have file-based (client-side) which utilise a user’s pc and session-based (server-side) cookies which do not utilise a user’s pc. You can have email marketing and full (session-based) cookie-based websites fully functional without storing or accessing anything on the user’s pc. None of these are covered by the PECR. They are covered by different parts of EU and UK data protection laws which have not changed.

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

Here are my thought on the Cookie Law Survey.

1a. A question that was not raised above is... Could a website pop-up culture lead to increase in VIRUS downloads via ClickJacking (e.g hidden "install virus" box, behind the consent box)?

For example - I recently visited a website claiming to be an opt-in plugin, but it instead it just tried to install a virus on my PC! (Note: only the "allow" button tried to install the virus). With this in mind, is there a risk that web-site popup consent boxes could lead an influx of virus? (As criminals take advantage of users lack-of-understanding of this change, combined with a click interaction that allows for "user-lead install")?

Given that "Security" is more important than "Privacy"... then the Cookie Law consent should be DELAYED until a standardised Browsers-based opt-out privacy interfaces are deployed (which allow for much safer security, than the proposed website popup model).

1b. What are your thoughts? Will we see "Rogue pop-up" virus charting on the list of top infections, in mid-May? www.avgthreatlabs.com/webthreats/#timeline_individual

2. Regarding the Browser based solution, I would expect a centralised database of tracking website - Here is an example based on privacychoice.org database: http://www.privacyscore.com/score_details/9532f73fa18b41fc9316f5b3310d207d/showcase

A centralised database solution is similar to the StopBadMalware system, which is enabled on all modern browsers already (This in addition to IE9`s opt-out lists, and DNT header, and Chromes cookie-rendering settings API Beta, GA opt-out plugins, and FireFox`s collusion notice-strengthening plugin).

3a. These hosted non-standardised opt-in plugins can have a negative impact on SEO, for example using a server-side opt-in (such as on ico.gov.uk) means that the opt-out text is cached on EVERY page on the website, this causes keyword dilution, and onsite duplicate content issue on pages which little content, as these pages are all cluster together rather than individually indexed.

Example: site:ico.gov.uk intext:"ICO would like to use cookies to store information on your computer"
http://tinyurl.com/exampl-cache-ico-gov-uk-intext

There is no standardise microdata markup or schema.org for website notices, thus GoogleBot has no way to differentiate (and thus ignore this junk text). Hence… Organic ranking will REDUCE when server-side opt-ins are enabled! Also, organic CTR will reduce slightly due to the ugly image snapshot on SERP, and the warning popup notice text being shown within the SERP snippet.

Infact Google even has a company moto...
"Google does NOT allow pop-up ads of any kind on our site. We find them Annoying."
http://www.google.com/help/nopopupads.html

+1 that! I hate pop-ups ;)

3b. The SEO impact gets worse when developers try and do crazy things on international website, like displaying a different language serverside popup based on geo-ip. The net result is that a GoogleBot Cloaking warning is triggered - Doh!

http://www.sweden.gov.se/ - failed CLOAKING check http://web-tool.org/cloak-check/cloak-check.asp

4. There are also negative implications for PPC, in that AdBot applies a landing page penalty and consequential increases minimum bid for website using certain types of pop-ups!
This is well documented here:
http://adwords.blogspot.com/2006/04/why-no-pop-ups.html
http://support.google.com/adwordspolicy/bin/answer.py?answer=175904
http://adwords.blogspot.com/2011/04/more-clarity-in-adwords-for-advertisers.html

Note1: DHTML (Dynamic Hyper Text Markup Language) aka floating menu`s are not effected by the ppc penalty (as no new window is opened).

Note2: Adding a Privacy links can also reduce min bids, for example just adding a privacy footer link or embedded form link can actually remove a QS penalty, so good and bad effects!
http://www.seerinteractive.com/blog/adwords-gets-serious-about-privacy-policies
http://tinyurl.com/adwords-PII-capture-policy

Thanks

Phil

P.S I am on the WAA cookie law committee - we in the process of creating a shared resources for Web Analyst and Marketers to help combat this law. Feel free to reach out to me and I can add you to a shared DropBox.

P.S. The ICO is talking about this topic in London in 2weeks time at WebAnalyticsWednesday 28th March at 6PM signup here:
http://www.webanalyticsdemystified.com/wednesday/list.asp?event_city=London

over 4 years ago

Avatar-blank-50x50

Kevin Beynon

Interesting responses and comments from marketers, but the law is there to protect users, not revenue.

I also originally thought the law was ridiculous, but after taking a closer look at the actual EU Directive, not the ignorant interpretations, it makes a lot of sense and is very necessary due to the prior behaviour of the advertising and marketing sector.

What disappoints me is that, instead of helping educate users, we're railing against something that is already law.

Agree with Mark Steven, Kevin Edwards and Steve. Read it, understand it and get with it.

Kevin

over 4 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

@Kevin. We are just presenting the results as we received them and, though there are some serious issues with the law, I agree that it's now time to find the best (or least worst) approach to comply with the regulations.

The results suggest that most are now doing that, albeit reluctantly.

over 4 years ago

Gary Bicker

Gary Bicker, UK Country Manager at affilinet

The fact that marketers think that the EU Cookie Directive isn't good for the web isn't really all that surprising. For me the more alarming figure is that 93% don't think that consumers will know what cookies are. As we hurtle towards the 25 May deadline, there is a key piece still missing from the puzzle – consumer education.

Despite the fact that it will fundamentally change how each and everyone of us interacts with the web, to date Google is the only company to try and educate consumers about implications. Whilst this is admirable, arguably the responsibility to educate the public at large actually resides with the body that will be enforcing it. If the Directive is to be integrated in a manner which is beneficial to all, it's not just the industry that needs some clarification – it's consumers too.

over 4 years ago

Adrian Bold

Adrian Bold, Director at Bold Internet Ltd

I guess whether good or bad from a marketer's standpoint is largely irrelevant. The bigger concern, I would have though, is how this law is being rolled out and communicated generally.

I'm not going to pretend for one moment that I really understand all of what’s involved here but seeing the clumsy manner in which the ICO website (http://www.ico.gov.uk) have tried to implement this says a lot. Poorly thought through and nigh on impossible to implement well.

over 4 years ago

Avatar-blank-50x50

Yannis Anastasakis

On the point of what this does to businesses, I had an interesting insight...
Some of my students work for massive blue-chips that have run multivariate tests. They reported 90% bounce rates on landing pages that implemented the directive fully.

On top of that, I KNOW there are legitimate and honest businesses with real value to offer that would just have to close shop if they were to comply fully.

The end result is that a lot of people will do the best they can, those that comply the least will benefit the most (at least whilst this is becoming the norm and consumers get used to it - if they ever do), and consumers will grow more and more scared of their own shadows.

All this whilst rogue cookies will still be installed and virus installations/consumer exploitation from malicious operators will continue unaffected (these people by definition don't comply with any directive or law).

I was also particularly interested to see comments above relating to rogue operators taking the opportunity to make their lives easier through fake compliance pop-ups.

This directive is scary in so many ways.

over 4 years ago

Avatar-blank-50x50

Graham Lomax

COMPETATIVE DISADVANTAGE: This legislation is being interpreted in different ways by different countries within the EU. As is often the case our bureacrats seem to be taking the most punitive interpretation of the directives. So if you choose to align yourself with the German interpretaion you might be able to avoid some of these difficulties. Obviously you would need to seek your own legal advice but I have a summary produced by our legal council and if anyone would like a copy then please call me on 07720 292304 or drop me an email graham.lomax@acxiom.com

over 4 years ago

Avatar-blank-50x50

Graham Lomax

This legislation is being interpreted in different ways by the various governing bodies throughout Europe. As is often the case our bureacrats seem to be adopting the most rigorous interpretation .
So if you adopt the German interpretaion of this pan European directive then you may be able to maintain a significant competative advantage. You would have to take your own legal advice but our legal council have produced a summary document which I am happy to share. Call me on 07720 292304 0r email me at graham.lomax@acxiom.com for a copy

over 4 years ago

Fiona Hall

Fiona Hall, Senior User Experience Consultant at Boots UKEnterprise

Thanks eConsultancy for doing this survey and thanks to all the other blog posters too. All the useful links opinions etc.., have really helped to inform our thinking on how to approach this.

I think I have said this before but our biggest collective challenge is how we educate consumers that not all cookies are bad.

over 4 years ago

Avatar-blank-50x50

Mark Gavalda

@PhilPearce excellent comment! I didn't even think about some of the points you mentioned but of course with any law that was created on a table to support some politician's career instead of "in the trenches" in its current form it's a lot scarier than useful... :-/

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

@Graham Lomax, all the evidence I've seen shows the UK is actually taking a relatively pragmatic, light touch approach. If you think our interpretation is punitive, speak to the Dutch.

over 4 years ago

Avatar-blank-50x50

Colin O'Malley

Excellent discussion prompted by a very timely study. A few observations:

a. More than half of companies surveyed have obtained a cookie audit. That's an important signal that despite the grumbling, companies are actually taking broad action to begin, as the ICO would say, on the road to compliance.

b. Kevin Edwards: agree that the ICO is interpreting the legislation in perhaps the most pragmatic manner of any regulator that has been active on the topic. The Irish are there with them. The French are more strict. The German position is still in flux. And yes, the Dutch are on another planet.

c. Adrian Bold: agree that ICO implementation is both clunky and deceptively difficult to implement. All these banner style explicit consent 'solicitations' suffer from the same fundamental flaw. 'Won't you please consent? What, no? Hmm.' And then you have to deal with 90% non-consented audience and figure out how to turn off all non-essential tracking for those folks.

d. Steve: while the letter of the law refers to storing information 'on terminal equipment,' you have to bear in mind that regulators are taking a broader view. The logic here is clear. At it's core, the law is meant to protect user privacy. You can easily envision a market that switches over entirely to alternative tracking technologies (browser fingerprinting, etc.) and resumes the full range of commercial data practices while ignoring the law. That would clearly make the regulator look ridiculous. So this is about tracking activity, broadly, cookie based and non-cookie based, with storage on terminal equipment and without.

over 4 years ago

Avatar-blank-50x50

Steve

Colin, the wording AND the purpose of the EU Directive on privacy and electronic Amendment - 2009-136-EC relate to 'gaining access to terminal equipment' and 'unwarranted intrusion'
Not tracking.

SOME (not all) cookies are affected by this because they rely on 'gaining access to terminal equipment'
Not because they perform tracking.

Tracking is affected as a consequence of these regulations, not because tracking was the purpose.

So, while wider controls and regulations on tracking are a good idea, and WILL come about soon; they are not part of these regulations.
Regulators may chose to take a broader view, but any additional tracking/privacy/data-protection guidelines which are implemented will be done so on their own merit, and not as part of the very badly termed 'EU Cookie Law'.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Colin,

I do not understand why people continue to accuse the Dutch of being out of line with the rest of us. The only aspect that they emphasise differently is the need for independent proof (of consent) which is really just common sense. If publishers get taken to court they will need that for their own defense.
The may have avoided the weasel words added into the UK enabling law (e.g. the confusing stuff about implicit browser settings based on the already damaged recital 66), but that is simply just Dutch honesty and pragmatism.
The "browser fingerprinting" threat was created to spook people and make the opt-in requirements look pointless (and try and foster support for the compromised US DNT initiative). The famous EFF panopticon test was based on downloaded javascript sending back stuff like lists of installed fonts back to the originating server. This is probably already illegal under the PECR, because it relies on storing information in a browser (JS files in the cache). In any case they had to use a session cookie to thread the returned info back to the original request.
Just using an IP4 address to track people is useless, and the privacy enhancements will stop it being used in IP6.
If you are looking for an effective but low cost (free in some cases) cookie audit for your site, and a tried and tested opt-in service, take a look at http://cookieq.com.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

So... what's the next steps after the survey...?

over 4 years ago

Avatar-blank-50x50

Steve Dalgleish

Just to clarify Phil's comments below:

The Web Anaytics Wednesday London (WAW) featuring a representative from the ICO has now changed to the 4th April as the ICO are on strike on the 28th!!!!

If you'd like to attend and for full details go to http://www.lynchpin.com/blog/web-analytics-wednesday-london-4-april-2012

over 4 years ago

Avatar-blank-50x50

Matt Stannard

Very interesting comments.

@Phil - Couldn't agree more, please add me to DropBox!

The point about consumer education is a good one, but part of me can't help think that this really is just the surface of a much bigger issue.

Most consumers don't read T&Cs of applications they download, so in my view giving consent to a site doesn't make their privacy any more or less protected.

For me, this type of change needs to be part of a browser, with as suggested before with a recognisable cookie database so people know what and to whom is being disclosed verified by a third party, not what the site says.

over 4 years ago

Avatar-blank-50x50

Matt Stannard

Very interesting comments.

@Phil - Couldn't agree more, please add me to DropBox!

The point about consumer education is a good one, but part of me can't help think that this really is just the surface of a much bigger issue.

Most consumers don't read T&Cs of applications they download, so in my view giving consent to a site doesn't make their privacy any more or less protected.

For me, this type of change needs to be part of a browser, with as suggested before with a recognisable cookie database so people know what and to whom is being disclosed verified by a third party, not what the site says.

over 4 years ago

Avatar-blank-50x50

Steve

Mark: Next steps?
Don't get put off by any of this.
Start taking simple, small steps to inform your customers what you are doing and why.
Where possible, give your customers choice.
Start looking at 'the right to be forgotten'

Simple things like:
Allowing people to purchase without creating an account - but give your customers compelling reasons to create an account by giving them real benefit.

Allow customers to delete/obfuscate (replace their customer details with dummy data) their account history - but give them reasons NOT to do this

When you create an account or someone signs up make it clear at that time why you are collecting certain pieces of information and explain clearly why it benefits them. Give them a choice to NOT be tracked and recorded.

In summary - choice and visibility. Start providing those. Do what you can now, and think about how you can make improvements in the future.

over 4 years ago

Avatar-blank-50x50

Russ

Many thanks for the survey. The results and comments make salutary reading, and I think demonstrate the huge educational task ahead for ICO and its equivalents across the EU.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

I mentioned this in the other recent econ blog post on the issue: the Affiliate industry is pursuing a five point plan based on transparency and education rather than overt technical solutions.

This gives us the greatest chance of being able to inform consumers and the ability to control the message.

See the Affiliate Marketing Council's blog for more details: http://www.iabaffiliatemarketing.com/iab-affiliate-marketing-council-publishes-consumer-transparency-framework/

over 4 years ago

Avatar-blank-50x50

Colin O'Malley

@Steve: we agree of course on the wording (hard not to). But I'm unclear on your source for the 'purpose,' which originated first in Brussels and has been inherited by member state legislators and then regulators. I've had multiple discussions on this point with DPA's from Ireland, UK, France, Spain, etc. They have unanimously indicated that the Directive is meant to address privacy (and the tracking impacting that privacy). It is NOT technology specific. Cookie-less tracking is in no way exempt.

Gary Davis, Deputy Data Protection Commissioner for Ireland, actually said as much on an Evidon webinar in February. Recording here: http://bit.ly/zDtlqh

over 4 years ago

Avatar-blank-50x50

Colin O'Malley

@Mike O'Neill

Your question is rather striking. The Dutch are interpretting the Directive, and are intending to enforce it, with a strict explicit consent standard. Full stop. That is, objectively, out of line with the largest markets in Europe (UK, France, for now Germany), and it has enormous commercial ramifications.

Now .. we can have a separate discussion about whether or not that is reasonable or just. Probably best for another forum. But I don't see how reasonable folks can argue about whether there is a difference.

As for solutions, large operations that want an array of options, rather than one cookie cutter with an entrenched position, do actually have options.

At Evidon, we provide the full audits, as well as multiple consent flavors that have been vetted by the regulators.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Colin,

There was no question, I am just fed up with the Dutch being rubbished as if they were out of line, which they definitely are not.

Most member states including the UK have or will shortly enable the directive, and so will all be opt-in or, in your terminology "strict explicit consent".

This was debated in Europe for over 3 years before being accepted by the EC in 2009 and voted in by the EU parliament with support across the political spectrum.

It might be a supprise to many but this the fault of those tasked with keeping people and businesses informed, combined with the Canute like attitude of the tech & advertising industries.

I agree that large operations need a flexible solution, that is why we at Baycloud developed ours. It allows a range of compliance interpretations but crucially can let operations show respect for their European customers by actually empowering them to give or withdraw their consent at any time.

It also offers independent proof of consent where that is needed.

@incloud

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@MattStannard (and others) If you DM on @philpearce or add me to linkedin, I can add you to DropBox shared folder.

In DropBox, I have folderised: ConsumerEducation Videos, Blog posts, iGoogle Privacy Dashboard, Implementation examples, Privacy Research, Funding sources, List of opt-in plugins, Compliance plan templates and more.

One other point I forgot to mention...

5. Retailers offering 5% discount for users who opt-in. This is a great value-exchange technique (effectively an online equivalent of a Tesco Clubcard "track my activity in exchange for cash/vouchers" :)

HOWEVER, this could lead to complications with GoogleBase product feed, as the GoogleBase crawler is unable to click the apply 5% discount button. Hence the retailer is forced to shown the higher priced products in the xml Feed (or risk the feed begin disapproved) this is because the prices in the feed, must match prices on product landing page.

Additionally, if ALL retailers installed this popup technique, then Adwords CTR would reduce - because prices in Adverts, ProductExt and DynamicAds would appear less competitive on SERP, thus Googles blended CTR and thus revenues would decline (unless a new field is added to GoogleBase feed to include the opt-in discount).

1c. Cool development.. I just got an email from ICO`s tech advisor, saying the Rogue-popup virus is an "interesting" development.

I can only infer, that they mean this has not been accounted/planned-for?

Although it is unknown, if this would reach the crazy levels of the MSBlast virus in 2003 where MS had to call-in 600 technicians, just to answer phones. The important aspect is; IF the Risk-Level is SIGNIFICANT, then the May 2012 Cookie law must be PAUSED until a safer browser opt-in method can be deployed.

Here is a Microsoft video about the MSBlast pandemonium:
http://www.microsoft.com/about/twc/en/us/twcnext/timeline.aspx#2001-01

Here is more clarity, on why the "Rogue-popup" virus is significant..

1d. If the exploit and payload is hidden behind a server-side insert, which is only shown by a user-interaction, triggered by the opt-in allow box. Consequently AUTOMATIC methods of detecting an infected website via a SafeBrowsingBot or AdBot crawl would not work (unless the format of the allow box was standardised and the GoodBot was trained to press this button).

Thus any virus using this technique would avoid detection for longer, and hence spread faster! Gulp.

Example: Google AdBot auto-detection malware (wont detect a server-side opt-in virus): http://www.youtube.com/watch?v=4VewFkix7qg#t=64s

A similar technique has been used by email viruses, using a password-protected attachment and placing the unzip password into the email body, for a user to read. Thus email-scanners cannot AUTOMATICALLY open and scan the infected file (unless they are trained to extract the password in the message body).

1c. I just noticed that a client-side (rather than server-side) virus called "JS-popup" trending on AV top threats list (it been since Nov-2011, but it is resurfacing).

It currently accounts for 3% of all infections:
http://www.avgthreatlabs.com/webthreats/info/js---popup/

Here is a screenshot of the "CookieTAB" client-side VIRUS it tries to run a Windows Exploit).
http://twitpic.com/8xezqz/full

Thanks

Phil.

Please DM to @philpearce to get access to the shared-DropBox.

WAW london date change - ICO is talking about this topic in London in "3weeks" time at WebAnalyticsWednesday 4th April at 6PM signup here:
http://www.webanalyticsdemystified.com/wednesday/list.asp?event_city=London

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Phil Pearce, Matt Stannard, ICO tech adviser

Hi Phil,

Publishers have always needed to take care putting 3rd party script on their pages, as this virus example shows ,and it would be irresponsible to rely on someone else's bot scan to detect rogue script.
Far from needing to be paused, the PECR has a positive benefit here because it encourages publishers to focus even more on it(as they now may be responsible for 3rd party tracking functionality).
As for server-side inserts masking the problem, surely their would be a legal responsibility for the insert supplier to check for rogue script.
But you are right that an agreed standard to bypass tracking protection would be be beneficial for compliance checking and anti-virus bot scans. Unfortunately the DNT=0 indication has (currently) been removed from the W3C DNT standard, which would have been perfect for this. If this was re-introduced it would also help with EU/US trade harmonisation becaude the DNT=1 could be assumed the default - as it needs to be.

Mike

@incloud

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@Mike

I`m not sure if any laws cover due-diligence for server-security, as I would have thought that if a website is infecting customers who visit, then it will quickly lead to a business having no customers ;) lol. So I dont think a fine applies (but I could be wrong).

Yes, since the Prontexi Banner-Ad poisoning event - Publishers should have realised that external Banner networks do not always deliver "safe" banners ;)
https://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/
https://blog.avast.com/tag/openx/
http://www.anti-malvertising.com/tips-for-publishers

Re: "DNT=on as default" that would make advertisers and publishers lose alot of money!

Everyone knows, that 90% of internet users never change the default browser settings. It would be like going back to the dark-ages!

Conversion-cookies and visitor-tracking are needed to make the online ecosphere flourish and fuel data-driven decisions making and investment. DNT=on default would be like giving the internet a heart attack - advertising would just die-out.

The only way this could ever work would be for a global advertiser and analytics fund, to incentivise internet users to turn DNT=off, in return for cash or a better user-experience. It would effectively create a two-tier internet. Is this what users really want??

Lets wait and see the results of the Google $25 pay-user Chrome trackme test in USA. My guess it that... If you think there are too many ads on the SERP and Disply network now, wait for the Google-Ad goggles to get magnified! (as the $25 fee, would need to be re-accrued by showing BIGGER or more INTERUPTIVE ads).
http://www.google.com/landing/screenwisepanel/

-----------
Just going back to the thread topic, here is another unforeseen tracking issue and byproduct of the Cookie Law...

6. If anonymizeIP hashing (e.g. 123.123.123.xxx) becomes a requirement.
http://tinyurl.com/anonymizeIP-on-geographic-data

Then most EXCLUDE-IP filters will stop working! This will mean that robot traffic from Gomez/SiteConfidence will start showing in GA or inhouse traffic will start being counted by accident (unless a wildcard filter range is used: xxx.xxx.xxx.[0-9]{1,3} ).

Additionally, IP-to-country and Broadband-ProviderName fields will becomes ~10% less accurate as these are recorded as country=(not set). Hence traffic to an include UK profile will reduce by 10% if ['_gat._anonymizeIp'] is turned-on! (Unless the filter is set to include UK and unmatched-IP`s using ^(United Kingdom|\(notset\))$

Note: If a geo-ip redirect to a folder such as /uk/ is in place such as on econsultancy.com; then GA include UK profile is fine :) Only the native GA ip-to-country field and advanced segments based on this country field in GA are effected.

Chart which shows the growth of GA`s Anonymize-IP*
http://trends.builtwith.com/analytics/Google-Analytics-Anonymize-IP

* Note: the German law change on anonymizeIP was on Sept-2011, hence the spike on this graph.
http://conversionroom-de.blogspot.com/2011/09/deutsche-datenschutzbehorden-bestatigen.html

Thanks

Phil.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

I just sent an email to the local MP in my constituency who is also prominent in government matters, Andrew Tyrie, and raised this as an economic matter that in these tough financial times is highly important and deserves some serious reconsideration by legislators and those enforcing privacy laws such as the ICO (Information Commissioner's Office).

I sent a link to the Econsultancy survey results - http://econsultancy.com/uk/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey - and said an overwhelming majority of this industry are seriously and hugely concerned about the commercial impact on websites and, simply, website usability.

For all website visitors to have to agree to cookie use on the millions of websites on the Internet just seems to be bureaucracy gone mad.

It's bad enough having to accept legal terms (that no-one reads) for applications such as iTunes and Windows... but to have to do this time and again for every website we visit is... a. plain daft, and b. will drive people off websites, an area enjoying some economic progress.

The interference with business here is so unhelpful at a difficult time.

While accepting the need to stop any privacy criminal-type breaches, there is a considerable workload as well as resources required to implement for any company, especially small firms.

Even if the ICO goes after a major company, it is likely to just get tied up in a ridiculous red tape and legal gravy train. Great for lawyers and their fees, but not for business.

I also pointed him to the other Econsultancy piece about the cookie law you did recently - http://econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance

Mark Chapman.

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@MarkChapman

The EU are actually discussing this topic today at 12:30am UK time today (they are also discussing a complete reform of the WHOLE legislation for 2013 to standardise across all EU countries).
http://ec.europa.eu/justice/events/eu-us-data/index.html

WebCast for 12:30am
http://webcast.ec.europa.eu/eutv/portal/player/index_player_streaming.html?id=14307

#eudpConf
https://twitter.com/#!/search/%23eudpconf

We have a representative from WAA cookie law committee who is attending:
https://twitter.com/#!/geddyvanelburg

Thanks

Phil.

Note: The rough guide to DP rules for "2013" is here:
http://ec.europa.eu/justice/data-protection/minisite/
http://www.youtube.com/watch?v=5ByVaZ0rg8U

You can always reach out to Viviane Reding [EU Legal Commissioner head honcho].
https://twitter.com/#!/vivianeredingeu

A video of her talking about EU dp is here:
http://ec.europa.eu/avservices/video/videoplayer.cfm?ref=I072122
I am not sure about the "less costly for businesses" statement in the video - I think she means standardise and harmonisation will result in cost savings in 2013.

over 4 years ago

Avatar-blank-50x50

Russ

A healthy dose of pragmatism seems to have struck UK government and public sector websites, who are now adopting a 'relaxed' stance towards 1st party analytics-only cookies:
http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/

over 4 years ago

Avatar-blank-50x50

Marcus Stafford, Chief Executive Officer at Informed Choices Consulting Limited

The tab virus is a disturbing development and one we should try to stamp out before it takes hold. It could kill any compliance solutions and subsequent cookie acceptance if users start to fear popups, rather than just hating them as now.

The one thing that strikes me as odd is that the companies we are talking to now still don't realise how quickly they must act in order to be in with a chance of compliance before the end of May. They don't seem to realise that an audit isn't just pressing a button and getting a report. That's just the beginning.

Just my 2p.

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@Marcus

Re: CookieTab VIRUS - sucuri.net is now showing this as malware:
http://twitpic.com/8yxvsa/

But GoogleSafeBrowing crawler is still not auto-detecting the exploit (possibly due to the user interaction opt-in aspect).

* Website screenshot:
http://twitpic.com/8ym4ki/full

* AVG detection screenshot:
http://twitpic.com/8xezqz/

* Unmask parasites screenshot:
http://twitpic.com/8yxzno/

Here are details of the JavaScript part of the expoit. The code is heavily obfuscated to avoid detection: http://sucuri.net/malware/malware-entry-mwjs6525

The virus is also using cookies to selectively drop the payload using:
var uolk = "xxx"; if(!document.cookie.match(uolk))

Once the SafeBrowsing database has updated - FireFox browers should flag the website with a malware warning (hurry up GoogleMalwareDetectionBot ;)
http://www.google.com/safebrowsing/report_phish/?url=http://www.eu-cookie-law.com/cookie-tab
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=www.eu-cookie-law.com/cookie-tab

Thanks

Phil.

Note to Cookie-Compliance vendors... please, please test your solutions and your website for exploits! (this is especially important if you are using a centralised JS file for the opt-in script deployment i.e. simular to GA`s externally hosted ga.js)

Malware and Hackproof tests:
http://www.unmaskparasites.com/security-report/
http://sitecheck.sucuri.net/scanner/
https://dashboard.websitedefender.com/register-for-free-website-scan.php
https://freescan.qualys.com/freescan-front/module/freescan/#scans
http://www.noupe.com/how-tos/wordpress-security-tips-and-hacks.html
http://wordpress.org/extend/plugins/websitedefender-wordpress-security/

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Phil,Marcus

The CookieQ cookie management JavaScript is only hosted on our servers, is entirely maintained by us and we do not use any external JS libraries. We do not use any external Content Delivery Networks to host it. Though we use the jQuery library on parts of our main site we again host it ourselves, mainly for the simple reason that many CDN place & use cookies.
Customers can supply their own CSS files to customise the look & feel of the opt-in panel, banner etc, but these are constrained by the mime type to CSS and so cannot be used to add malware.
I really do not think that Cookie Compliance vendors are any more likely to be vectors for malware delivery than any public facing web publisher. In fact, because of their focus on the technical requirements of privacy law compliannce, they are far less likely to be so.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

@PhilPearce - Hey Phil, terrific information and research. Very impressed. I just got to work through it... :-)

mark.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

I've read through most of the posts and one key point is that people are complaining too late because it is already law.

Well, that's because nobody visualised how stupid it would be to force so many websites to display so many opt-in type messages.

To have to accept cookies time-after-time is going to be a ridiculous user experience Bureaucratic overkill.

And then the behind-the-scenes effort that will have to go on to make this work make it a waste of money and valuable time for many businesses and traders during a period when staying in business is much more important.

mark.

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@MarkChapman - Yes, you are right.

Unfortunately the WA, Banner, Affiliate, PPC and SEO community have been too late to avert the 2009 Cookie law - it`s ALREADY here and we need to ACT to avoid enforcement & fines :(

Just adding another discussion point...

7a. Another unintended consequence of the CookieLaw, is the effect on internal aggregated analysis and external Benchmarking reports.

For instance conglomerate websites which run ROLLEDUP trackers in order to see a top-level view of traffic to all web proprieties, or vendors BENCHMARKING service such as Coremetrics web competition report will be effected.

* Internal RolledUp tracker example:
http://analytics.blogspot.co.uk/2009/09/advanced-structure-your-account-with.html

* External Coremetrics Web Competition report example:
http://www-01.ibm.com/software/marketing-solutions/benchmark-reports/index-2010.html

* External GA quarterly benchmark performance report example (using Website owner opt-in data):
http://blog.kissmetrics.com/2011-web-analytics-review/?wide=1

7b. Due to cultural country differences in consumer opt-in rates (e.g. For example USA consumers may be more willing to be tracked, than their German counterparts who are more privacy conscious).

Thus when comparing trafficked performance of USA vs Germany, it might appear that relate German traffic has declined, but infact this could be due to the higher opt-out rate. Thus less might be invested in German websites based on this data (unless Country level normalisation could be accounted for).

However country level normalisation adds an extra level of complexity, especially when there is not currently any statistically valid data on opt-in rates per country (yet).

Note: The Gov DataProptecion regulators have all implemented DIFFERENT opt-in solutions, thus their data is not a valid sample for opt-out benchmarking, as the same opt-in solution would need to be added to all global websites, to make this a fair test.

7c. Also, as opt-in consent rates will be higher based on sectors (e.g. non-profit or trusted brands will be HIGH, Insurance and Banking sector will be LOW due to perceived trust & privacy risks). This is going to make aggregated analysis even harder!

It`s going to be like the GoogleSSL keyword=(not provided) change, but worse ;)

8. Aggregated analysis data is critical to business investment and forward-looking decisions.

For instance, decison based on projected growth can be used to answer questions like:
* When will investment in a mobile website break-even?
http://gs.statcounter.com/#mobile_vs_desktop-ww-monthly-200903-201203
* How much are my competitors investing in Mobile? Or should I invest in iOS or Android:
http://gs.statcounter.com/#mobile_os-ww-monthly-200903-201203

* The cookie law will not wipe-out these aggregated tools, but it will cause the projections to under-estimate due to non-tracked traffic, and create a level of uncertainty.

Uncertainty (especially when investing Billions of Euros) is VERY damaging for web businesses and consequential EU aggregated GDP!

Uncertainty also effect current investment in advertising, as automated CPA bidding tools such as Adwords Conversion optimiser (which uses a 3rd party conversion cookie by default) will start underbidding if visitors conversions are not counted due to opt-outs.

Assuming this is not normalised... then the bids and advert positions would automatically freefall, due to 50% of sales are tracked, then Advert bids will also auto-reduce by 50%!
http://www.youtube.com/watch?v=nRRw1M_TeYI#t=5s

If the entire PPC ecosphere shifted downwards then VAT and TAX on Adverts would ALSO shift downwards by 50%. Just looking at the Top100 companies on Adwords in the UK yesterday, they were spending approx £1.6million * 365days = £583billion per year (ignoring seasonal fluctuations). http://www.spyfu.com/UK/TopList.aspx?listId=1

Assuming a flat-rate VAT of 11% is applied then this is £64billion in vat tax. Thus if investment in online halved then the government would lose -£32billion per year! If the -90% tracked conversions (as shown on the ICO`s website) is applied, then this turns into a -£58billion of lost of tax! WOW!

I agree that Privacy is important, and the Cooke law is a necessary step, but do you really think that the cost of Privacy is worth THIS much?

I know it`s too late NOW, but I wish the EU Politians would to come to their senses and wait for the W3C to produce a Browser-based solution, rather than far-reaching and under-considered EU legislation.

Thanks

Phil.

over 4 years ago

Avatar-blank-50x50

Marcus Stafford

@PhilPearce.

Excellent analysis and frightening figures. I wonder if those behind the law really understand the consequences?

Marcus

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

Yes @PhilPearce, I'm also on the record saying a Browser-based solution is by far (in fact, by huge leaps and bounds) a much better way to solve this cookie issue.

Why, why, oh why have EU bureaucrats / ICO thought it's a good idea for zillions of websites to pop-up consent boxes (each of different appearance) that website visitors and companies customers and clients will have to click again + again??

Mind boggles at the ineptitude of it all... And the amount of taxpayers money spent by a quango (for that is what the ICO is) as well as the EU trying to force this through is criminal in the current economic environment.

mark.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@ALL In case you haven't seen I've just posted an article on Econsultancy's 'solution' to the EU Directive at http://econsultancy.com/blog/9453-econsultancy-s-solution-to-eu-e-privacy-directive-compliance - do let us know what you think in the comments there!

over 4 years ago

Avatar-blank-50x50

jodyvanv

I'm now looking at this for our company and what a poorly conceived bit of legislation it is. No real advice from the ICO, poor and vague guidelines and an end result that will harm the UKs online industries no end.
What is the point? My ISP happily tracks my browsing across the whole of the web, with no cookies at all, and then happily sells this information to the highest bidder, who in turn sell it as a tool for online marketers to target ads anyway...Hitwise/Experian anyone...
I wouldn't be at all surprised (and thankful) if there wasn't some public backlash against this legislation, I certainly hope so.

about 4 years ago

Avatar-blank-50x50

@barton71

Privacy before profit. It's only right that a persons right to privacy comes before another persons right to profit. It may be bad for some businesses in the short term, but long term, businesses will adapt. This is a small but positive step forward in protecting peoples privacy.

about 4 years ago

Avatar-blank-50x50

Adam Davies

I don't think it's just marketers that are annoyed by the lack of knowledge behind the Cookie Law decision... Designers, developers, and admins seem to be pretty wound up too.

There is much talk of privacy this and privacy that... Does no one else find it odd that the government is forcing ISPs to install deep-packet inspection hardware to track their users, which is completely illegal, in the same month as the EU Cookie Law is due to be enforced?

Hypocrisy at the highest level!

about 4 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.