The deadline for the e-Privacy Directive is fast approaching. While the subject has generated significant attention across Europe, the word ‘cookie’ continues to dominate the headlines.
In fact, the part of the Directive that applies to cookies is written more broadly and requires consent for non-essential tracking, regardless of whether a cookie is involved.
In this article, I’ll review the facts behind the ‘cookie law’ and lift the lid on what consent really means for UK businesses.
The cookie misnomer
Everyone is talking about the run-up to May 26, when the ePrivacy Directive will begin being enforced by the Information Commissioner in the UK. The attention paid has been impressive, and we know that significant companies are taking critical steps behind the scenes. But we need to flag a problem.
Somehow, the term ‘cookie’ has crept into the conversation like an insidious little worm, eating its way into headlines, distracting the market and potentially sending well-intended companies sprinting in the wrong direction during this critical last stretch.
To be clear, we’re talking about compliance with the amended e-Privacy Directive. The portion of the Directive that applies to cookies is in fact written much more broadly and requires consent for non-essential tracking, regardless of whether or not a cookie is involved.
Yet we hear the Directive referred to as the ‘Cookie Directive,’ and the ‘Cookie Law.’ Companies have sprung up selling ‘Cookie Solutions,’ and providing ‘Cookie Audits.’ We have fantastic new ‘Cookie Policies’ and detailed breakdowns of the functions of each cookie.
All of this is helpful in as much as it moves the ball incrementally forward. The danger is that our choice of words can end up putting horse blinders on our approach to compliance.
Cookies, tags and trackers
As a lens through which to view tracking activity on your own site, a focus on cookies, to the exclusion of other technologies, is both incomplete and exhausting.
Tags are the central tracking element, not cookies. Many companies track the consumer using an alternative technology, like a flash object. In addition, an emerging class of trackers are beginning to use technologies like device fingerprinting.
These companies use tags, but do not leave behind any tracking object on the computer and as a result are typically invisible to web scanning technologies. Because of these gaps, a ‘Cookie Audit’ will frequently miss as much as 40% of tracking activity, a clearly unsustainable result for companies that wish to comply with the law.
A complete dump of all cookies set on a site can also quickly become overwhelming. One company can set one cookie or 12, there is no pattern. And a large organisation with a portfolio of domains, or any company with an ad supported site, can easily have 100 or more trackers, each setting one to 12 cookies.
500 or more cookies are not at all uncommon. Further, it is often impossible to distinguish the specific purpose of individual cookies, with their cryptic names and randomised values. We’re talking about a massive undertaking, and for what benefit?
You need to understand who is on your site, and what they are doing with data. Not the particular differences between these two cookies (and yes, they are real):
a)name: __utmc, value: 46026228
b)name: __utmb, value: 4602618.104.22.1680142291
It can be very helpful to know which cookies are being set, but the cookies should not be the focal point of your analysis, or you will spend hundreds of hours diving down rat holes with questionable returns.
Instead, you need to up level your assessment to the companies that are tracking the user. Each company has distinct attributes relevant to your assessment, including:
- The categories of information they collect.
- Their business model.
- Data retention policy.
- Whether or not they have a properly functioning opt-out.
- Whether or not they engage in online behavioural advertising.
- The types of tracking technologies they are using, including tags, cookies, and flash objects.
- Whether or not ALL of their tracking activities can be considered ‘strictly necessary’ under the Directive.
All of this information should be rolled together into a clear position on whether or not each company requires consent. You can do this yourself, or you can work with a company like Evidon, but whoever you use, be sure you don’t find yourself lost in a maze of cookies.
Tracking activity and the consumer
Disclosures that leap directly into a breakdown of each cookie are replacing a problem created by legal geeks (privacy policies) with a problem created by real geeks (technical explanations of hundreds of cookies).
You must engage the consumer in a dialogue about tracking that is happening on your site to comply with the law and that dialogue must be specific, but there is no reason to leap directly to the logical extreme.
Again, they need to know who is tracking them on your site and what they are doing with data. Your priority should be experimenting with interfaces that simplify the presentation of this information as much as possible, rather than running a microscope over the particulars of each cookie.
When discussing cookies, be sure to provide context. Include the company behind each cookie, with links to more information about that company’s practices.
In the EU, our clients will be deploying consent solutions that make it clear to the consumer that tracking is taking place, using visual tools like the orange bar and Cookie Consent button on the bottom of the page below.
Consumer visits site and reads about the tracking taking place as well as their options.
If the consumer clicks on the Cookie Consent button, they will have access to a breakdown of the categories of tracking activity, including Essential, Analytics and Customisation, and Advertising.
They can withdraw consent for the latter two categories of tracking, as they are subject to the Directive, or they can click an arrow to read more about the tracking in each category.
If they click an arrow, they will see a list of the companies tracking them in each category along with the purpose of their tracking and can withdraw consent from individual companies.
When taken together, these tools allow a company to have comfort that they have acquired the implied consent of the consumer.
With all of this said, I want to be clear about the importance that cookies play as a part of your compliance game plan for the ePrivacy Directive. But do yourself a favour and strike any reference to the ‘Cookie Law.’ I still haven’t seen a copy of that law.