Meriel Lenfestey is Director at Foolproof, and is currently working with financial clients on compliance with the EU cookie laws

The EU cookie laws, and the potential effect they can have on online businesses, represents a major challenge. So how can they comply without harming the user experience and damaging their revenues? 

I’ve been asking Meriel about what websites should be doing to prepare for the implementation of the cookie law, and how this will affect the user experience. 

Is there now an acceptance that this cookie law is happening and something has to be done to comply, or are some still hoping it will go away? 

I believe there is an acceptance amongst major online service providers that this is not going away.

Many smaller organisations, without legal departments, are likely to be unaware of their responsibilities or are taking a wait and see approach on the basis that they aren’t likely to be targeted themselves. 

Is the ICO being clear enough on what is required of online companies to comply with the law? 

The ICO’s ‘almost impossible’ task is to facilitate and enforce the implementation of the EU Directive in the UK.

The new law is relatively clear, particularly when viewed alongside existing legal definitions of consent. UK Business, Government, and I, feel that the resulting legal requirements are too onerous to be practical and a clumsy way to achieve the underlying goals of the Directive.

In attempting to appease us all, the ICO has implied more flexibility in their guidance, contradicting the law around issues such as the timing and nature of consent.

Although the guidance doesn’t have any legal standing, it has fuelled the organisational fires between legal and commercial teams about how much to invest in complying.  

What should online businesses be doing in preparation? 

By now, all businesses should understand how they are currently using cookies (directly and indirectly).

Our advice is that this means conducting a cookie audit which not only lists the cookies, the data they store and the provider, but also identifying what benefit each provides to users (including how that benefit can be described to users).

It should also include a categorisation (we’ve identified five overall categories of cookies), what commercial benefit they provide, the level of intrusiveness they could be deemed to create and whether they enable a feature the user specifically requests.

Information should be placed on every website, to describe in user facing language, how cookies are used.

All businesses should be revising their customer contracts to ensure they include consent, and their partner contracts to ensure it is clear where responsibility lies (without that the law makes the primary domain responsible).

With these steps taken, an experienced designer can be briefed to design a UI solution which delivers the best possible user experience for the specific business requirements.

Some have suggested that doing some planning (i.e. showing willingness to comply) will be enough. What is your take on this? 

It’s not enough legally. However, no one knows what enforcement action will be taken and some are willing to wait and see, safe in the knowledge that the ICO will give them warning before any action.

The scale of the financial penalties, when viewed against the cost of implementation and risk to business have a created a great incentive for businesses to take minimal steps.

Are there any loopholes that online businesses will seek to exploit? 

The law has three aspects (consent, information and exclusions) all of which could be seen as open to interpretation.

The ICO’s recent guidance illustrates this brilliantly within a single document where they suggest non compliant solutions might be acceptable.

These include solutions based around delayed consent rather than prior consent; and inferred consent based on information in a footer, rather than explicit, provable, informed consent.

The lack of clarity around which cookies will be deemed strictly necessary (Shopping baskets “may be excluded”) and their implied flexibility around some cookie uses (e.g. analytics) will also invite many businesses to argue that their cookies should be excluded. 

You have been working on this issue with clients in the financial sector. What are the challenges that are unique to this type of business? 

The clients we have been working with are organisationally risk averse but resist the requirements because they don’t feel they place intrusive cookies.

They use a lot of cookies (one client uses several hundred), and they use third party cookies (including analytics, partner service providers and aggregators). They will face particular challenges in delivering against FSA requirements such as TCF without being able to rely on people using cookies.

They are often dealing with multiple markets across the EU and will need to satisfy the legal requirements in each market, regardless of any flexibility implied by the ICO. 

How badly will the loss of cookies (if users opt out) affect the user experience on websites? 

I doubt many websites will offer a persistent opt out option. More likely, they will keep asking each time a user returns or tries to use a piece of functionality which requires cookies in the hope of persuading them.

However, without consent, the immediate impact will be a reduced set of functionality and a less personal experience where the user must hunt down relevant information rather than have it float to the surface.

The medium term impact will be caused by businesses’ lack of insight to lead their service development decisions. The long term impact will be a change in the market dynamic with fewer ‘free’ advertising funded or aggregator based websites.

Is it possible to comply without affecting the user experience? What are the best, or least bad, options? 

A site which only uses cookies which drive core features the user explicitly requests, e.g. shopping basket in an e-commerce site will probably be compliant without changing anything.

This is true of very few online services. For the rest, it is not possible to comply without affecting the user experience.

We’ve been working with our clients to recommend solutions which minimise the impact on the experience through careful, intuitive placement of consent requests and information, as well as concise, customer facing wording to gather single consent for multiple cookie types (wherever possible). 

The laws also apply to mobiles, tablets and connected TV. How will that work in practice? 

It makes very little difference except that it adds strength to the argument that we can’t wait for a browser based solution.

Regardless of the platform, the user must be able to make an informed decision before proceeding with an action which will place a new type of cookie.

What are you advising your clients to do about this? 

We’re advising them to decide on a strategy and apply it across all platforms.

How do you expect large online businesses such as Tesco and Amazon to deal with the cookie issue? 

I expect that few (if any) will fully comply, at least at first until they see what their competitors have done, how the ICO is enforcing the law, and how users respond with their increased awareness.

I do however, expect that they will all increase the prominence of cookie related information on their services, and that they will have fully compliant plans up their sleeve, just in case.

Is there anything companies can do to educate web users about the cookie issue in advance? 

I’m torn on this one. I don’t believe users should be educated about cookies. I see cookies as a technical solution to deliver a service – part of the magic which makes the web work.

As this isn’t a luxury providers are afforded in the law, I’d suggest that providers start to refer to cookies in places where they are beneficial (to users) in their services e.g. remember me boxes, add to shopping basket, pass choices to another page, store preferences etc.

This will start to create positivity around them as consent is sought. Registered users can be asked for consent early so that the necessary change in May will be smooth.

In a recent interview with LBi’s Manley on the EU cookie law, he said: ‘some say this is unworkable, but in all honesty, it’s not, it’s just a bit irritating.’ Would you agree with that sentiment?

Creating a compliant solution is possible from a technical and design perspective.

In my opinion, the problem is that the law is misaligned and out of proportion to the underlying goal and doesn’t factor in the realities of the commercial world and users’ tendency to take the path of least resistance.

I’d say that makes it more than a bit irritating.

Meriel will be speaking at a breakfast briefing on The New Data Protection Directive & Cookie Compliance next Thursday (23rd).