New data shows that in the UK, increased awareness of and engagement with robust privacy controls on websites have resulted in lower opt-out rates.

Four months after the UK ‘cookie law‘ deadline, data suggests that the enforcement process, accompanied by a burst of compliance by businesses, as well as a high degree of media attention, is yielding positive results.

In short, it seems that the more people understand how they’re being tracked on websites, and the more control they’re given, the more comfortable they are with tracking. 

On May 25th, 2012, the Information Commissioner’s Office (ICO) in the United Kingdom started enforcing the ePrivacy Directive, requiring websites that collect (and/or employ third-parties to collect) consumer data to disclose it to consumers, as well as provide them with a means to offer their consent to be tracked

The first EU member to enforce the Directive, the UK chose to allow businesses to use an “implied consent” mechanism on their sites. That means that visitors express their consent by seeing a conspicuous privacy icon, normally labelled “cookie consent”, and accompanying disclosures about the companies collecting their information, and have an easy way to opt out. 

  • In the UK, from June 1st to August 31st, the click rate on the privacy icon doubled to .3% from .16%, suggesting that people were seeing and/or learning about it more.
  • Simultaneously, post-view opt-outs in that same period decreased to .04% from .15%, suggesting that, once the waters settled a bit after the buildup to the deadline, consumers became less inclined to just turn off tracking, perhaps assuaged by the robust notice and consent options they were presented with.

Here is an example of live Evidon notices in the UK.



The suggestion that increased awareness and control makes consumers more comfortable with tracking was also backed up by research we conducted with Toluna in June.

In other parts of Europe the situation is understandably different. In the Netherlands, where the government is pushing for compliance that is based on the stricter “explicit consent” model (ie, consumers must proactively opt-in to allow their data to be collected), privacy icon click rates and post-view opt-outs are more in parallel.

Clicks are on the rise, with more sites complying and increased media attention, and more people are opting-out after seeing privacy notice. It may be that getting people to proactively volunteer to be tracked is simply asking too much.

While the Dutch government set a September 24th deadline for government sites to be compliant, there is no formal enforcement yet, which means there is obviously less adoption of the Directive, and consequently less data on user engagement with notice. 

Similarly, in France and Germany, where there is no enforcement yet, both icon click rates and post-view opt-outs are consistently low.

Figure 1. click rates 

Figure 2. Post-view opt-out rate

Granted, this is all still preliminary data. But if UK data continues to play out the way it did in those first few months after the enforcement deadline, we may see other EU member states following its lead.

Protecting consumers’ privacy and giving them real transparency and powerful controls over how their information is use is paramount, but no one wants to damage responsible businesses in the process.

If the goal is that balance, the combination of enforcement (and the awareness that comes with it) and robust implied consent mechanisms on websites may be the path to achieving it.