Manley is SEO Director at LBi, and he has been working with clients recently, preparing for the full implementation of the EU cookie directive. 

This directive (here’s the pdf if you have a few hours spare) was introduced in the name of privacy, but has serious implications for online businesses. 

I’ve been asking Manley about what the directive will mean in practice for online businesses, and what they should be doing to prepare themselves…

What was the thinking behind the EU cookie regulations?

The reason the EU has introduced this directive is due to concerns about privacy, especially from Scandinavia. The idea is to prevent organisations collecting information about web users without their permission. 

The problem is that the people who have introduced this have very little idea of what a cookie is and what they are used for. Considering the privacy of individuals is no bad thing, but the law is slightly misguided. 

It was announced at the beginning of the year, and the UK is the first country to have introduced it. 

The idea behind this early adoption was that we could manipulate the law, and the initial guidance was that browser settings would deal with the need for users’ consent. 

However, it soon became clear that that wouldn’t cut it.  Now we have a situation which is unclear for many businesses. 

What does the ICO’s decision to delay implementation mean in practice? 

The law is in force now, and has been since May 26. However, the ICO has said it will not prosecute anyone under this rule until May 2012. 

You can make complaints against websites though, and just because businesses may operate websites within the UK, it doesn’t mean they have nothing to worry about until next year. 

If your visitors are coming from other EU countries including Ireland, Sweden, Estonia, Finland and Malta, you may be liable. 

What do the cookie regulations mean for online business?

The ICO will not currently pursue companies for not gaining users’ consent for cookies, but this is no excuse not to be doing anything about it. 

As the ICO’s Christopher Graham has said, those who choose to do nothing will have their lack of action taken into account once the regulations are enforceable. 

The sort of organisation that will be likely to be complained about should have the resources to be able to make the necessary changes. 

They should be concerned, as the penalty for flagrant flouting of the rules is £500,000. Any organisation with several websites and brands, some financial services companies for example, will therefore be liable for each property, meaning fines could add up to millions of pounds. 

What should online businesses be doing in preparation? 

Although you can be fined, what constitutes a serious breach is flagrant disregard for the directive, and the ICO says that a phased approach is acceptable. 

Right now, you should be examining your existing current cookies, looking at:

  • How much information are you holding? 
  • How necessary is it? 
  • What measures can you put in place for gaining consent from visitors? 

Even the ICO’s cookie consent message (below) isn’t enough to comply. Users have to be able to make an informed decision and give overt and informed consent.

If you have done an audit, have an acceptable and clear privacy policy, and a reasonable strategy on place for May 2012, ready to be implemented, then you will be prepared.  

What are the various options for websites to ensure that they comply with the cookie law? Is it possible to comply without affecting the user experience? 

Websites face a dilemma over how overtly they ask for user’s consent to store cookies. 

They could put a notice on the page when new visitors arrive, one which asks for users to consent, but which still allows them to use the site as normal if they choose to ignore it. 

This will mean a better user experience, but the flipside is that the amount of traffic picked by analytics packages will be a fraction of normal levels. 

The other option is to use a lightbox to ask for consent. The user only has to opt in once, and this would solve the problem of losing analytics data, but it does mean that some visitors will drop out. 

People don’t like being interfered with, and frequently ignore lighboxes when used to gather user feedback on sites. We find it offensive that something online is interacting with us, rather than us with it. 

When someone arrives at a site for the first time, there will be higher bounce rates as they see this interruption. 

Another approach is to have a tiered structure for visitors. For example, a ‘bronze’ level may mean no cookies are stored from that user, a sliver level with a minimal level of cookie data, and gold, where customers opt in, in return for the fullest possible experience on a site. 

This will be the first time that most web users will become aware of this legislation, and in many cases, what cookies are. The potential effect of this change on the internet could be massive. As well as online retailers, massive sites like YouTube and Facebook all rely on cookies. 

It also threatens many business models, retargeting, behavioural targeting, attribution CRM, display advertising, and of course, analytics. 

Analytics could be seriously affected by these changes. For example, on May 26, when the ICO began to ask for consent to store cookies the visits shown in analytics were down to 11% of normal traffic. 

Is there anything companies can do to educate web users in advance? 

Perhaps, but since all businesses are looking for is a quick yes from visitors, education may not serve businesses particularly well. 

Has there been much resistance to this law? Are companies lobbying against it? 

I’ve done some work on this with financial services and telecoms companies. There are some who say this is unworkable, but in all honesty, it’s not, it’s just a bit irritating.

Others are accepting it and trying to work within the guidelines. 

This isn’t going to go away, though whether the ICO actively seeks to prosecute businesses is debatable. 

The answer is to embrace the law, and to have everything ready for its full implementation, except the last consent step, a lightbox or notice for new visitors.  

When it’s clear that the law is in place and will be enforced, then this will need to be implemented. 

How exactly the law will be implemented is still not 100% clear. The ICO has asked the industry for feedback, and it’s not certain how they will adapt to this. Until we see the legislation in practice, it’s difficult to know, bit just hoping it’s going to go away is not going to help.