{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

We've covered the impending EU 'cookie law' a number of times on this blog, but we've yet to see many practical examples of implementation. 

There are exceptions, such as the Information Commissioner's Office (ICO) website, which has to set an example (though even this isn't enough to comply), but most are being kept under wraps. 

This is because online businesses are not going to add any interruptive messaging to their sites until the last possible moment, and perhaps not before they've seen what their rivals are doing about it. 

I've been speaking to 4Ps Marketing CTO Matt Stannard, who has kindly provided these mock ups of how some popular sites could choose to comply with the EU directive.

(UPDATE, 18 April 2012: Our new report, The EU Cookie Law: A Guide to Compliance, explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, and includes examples of how websites can gain users’ consent for setting cookies. Do check it out.)

Modal dialogue

One way a website may gain consent is through the use of a Modal Dialogue box. This could be shown on the homepage or on each page where a visitor has not opted in to Cookies the site sets.

Depending upon how the site functions, visitors may not be able to interact with the site until they opt in or if they choose to cancel, the site will have to work as well as it can without cookies.

BBC EU cookie law

Pros

It's a simple, and enforced call to action which spells out the reasons for cookies (to enhance usability). 

Cons

The user cannot browse the website until they have dealt with the dialogue box, and is therefore intrusive, and likely to increase bounce rates. 

Status bar

Sites may choose to display a translucent status bar at the top or bottom of the website which could be set to appear only on the homepage or on all pages.  

The bar informs visitors that the site uses cookies and links to the Privacy and Cookie policy.

It remains visible until a user has opted in to cookies from the website.

EU cookie law Debenhams

Pros

It's less intrusive than the dialogue box, and does allow users to continue browsing the website, even if they ignore the message. 

Cons

The layer may obscure and detract from some of the content on the website.

In addition, because it's easy enough to continue browsing, the user may never opt in, and the site will be unable to deliver any personalisation, or to track that site visit via analytics. 

Warning bar

A warning bar could be used in a similar way to the Status Bar. This appears each time the site wishes to set a Cookie allowing a visitor to accept that Cookie or all Cookies for the site. 

The Information Commissioner does suggest that as users become more aware of what and when Cookies are set then in the future this may be sufficient to demonstrate consent.

This style of functionality is probably likely to be incorporated into web browsers. 

Pros

Like the status bar, it's less intrusive and allows the user to continue to browse. It also has the advantage of informing the visitor which cookies the page is using. 

Cons

It has the same disadvantages as the status bar: the user may not opt in at all, and it does obscure some content. 

Preferences

This is not a mechanism of gaining consent, but is an example of how websites may choose to amend or create visitor preferences.

Where a visitor is signed in, websites may show a user a list of cookies the site uses allowing them to enable or disable each one in turn. 

The same functionality could be given to non-signed in visitors but would itself require a cookie to store these preferences.

I asked Matt about the approaches shown here. 

Are these examples sufficient to show compliance with the cookie law? 

For websites obtaining consent for first party cookies from their domain, these methods should comply as they are asking the user to give their consent before storing a cookie.

I personally would recommend having a Privacy and Cookie policy as part of the site which reinforces what cookies are used, their purpose and how to opt out i.e. delete the cookies.

Which do you think is the best of the three options?  

My personal view is that either two or three is best as it is less intrusive to the user but gives a continual call to action.

Method three is good as it gives the best awareness by telling a user when a cookie needs to be set again.

My personal view is that browsers may in the future recognise certain types of cookies and allow you to set these in your preferences, i.e. always allow Google Analytics, prompt me to set rules for unknown cookies.

I would recommend that all methods need planning to communicate any changes to users as early as possible and to ensure the type and level of intrusion of each cookie is identified and covered by the policy.

Are there still some grey areas here?  

Yes, third party cookies. That is, those from a different domain. Technically the owner of the site setting the cookie needs to gain the users consent and in such instances that is not the site the user is on. This could cause confusion for the user.

Then there are potential issues around Facebook Applications,  these are hosted externally to Facebook. These apps may set their own cookies and so technically require consent.

A user may have already 'connected' with the app through Facebook and may be confused if they see further non-Facebook branded consent dialogues or messages.

There is also much debate also about what is essential. At the moment, the regulations say this is for cookies which relate to content delivery, encryption or shopping baskets where, without them, the site would not function.

The ICO makes a good point that the PECR make no distinction between the different types of Cookies (First or Third) and how intrusive they are. However, if a cookie is used to provide security or in content delivery optimisation, it may be exempt.

We would suggest that best practice for sites using third party cookies is to ensure that you are clear and open to a user about how advertising platforms will be used.

Econsultancy is currently helping a number of European companies navigate the road to compliance, so do contact us if you'd like some help.

Graham Charlton

Published 5 March, 2012 by Graham Charlton

Graham Charlton is the former Editor-in-Chief at Econsultancy. Follow him on Twitter or connect via Linkedin or Google+

2565 more posts from this author

Comments (121)

Comment
No-profile-pic
Save or Cancel
Carlton Jefferis

Carlton Jefferis, CEO & Founder at Gettus!

All useful examples of approaches that could work (whether technically or compliance-wise) but every time I read anything on this subject I feel no-one is really attempting to understand the problem from the *user* perspective.

There was a very informative blog post last week from PredictiveIntent which evaluated some of the technical solutions/packages on the market. That article came to a similar conclusion.

I fear the first wave of attempts will cause visitors to rightly think WTF? coupled with mass confusion. The ensuing media backlash will do nothing to help.

We all need to think of highly innovative ways of addressing this problem for people, not business. Let's see some best-practice being shared? If we get the messaging and UX right it'll be business as usual. If we fail to think long and hard about how this comes across to our customers it'll be a right balls-up come 20th May.

over 4 years ago

Avatar-blank-50x50

Depesh Mandalia, Head of Digital Marketing at Lost My Name

Much prefer the basic version that Dave Naylor uses here: http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html (keep hitting 'cancel' for best effect)

:)

Honestly though I think it will depend on what your site is about, how interactive it is and how pro-active you are on this. Some will wait to see what others do and adopt "best practice" others like the examples above have gone and done what's best for them.

Ultimately majority control will probably pass to the browser which has its own pros and cons; the biggest con being the loss of control to sell the benefits of cookies on your site (since the browser setting *may* permanently override the site's preference...)

over 4 years ago

Avatar-blank-50x50

Chris Field, Director at Blue Latitude

What about implied consent? How many organisations will rely just on implied consent for low intrusive, first party analytics cookies? I know its a UK site, but I like the All Things Digital example - http://allthingsd.com/ (only visible to new visitors).

over 4 years ago

Avatar-blank-50x50

Russ

A comprehensive privacy and cookies page is essential in my view. An approach based on 'Tick this single box to allow all cookies' and not telling users what cookies are involved is not helpful in my view.

For Google Analytics cookies, my view is that if they are being used solely for anonymised analytics purposes AND it can be shown the GA cookies are not being interrogated ('snooped') by other 3rd party cookies, then an implied consent in respect of the GA cookies is ok.

over 4 years ago

Avatar-blank-50x50

James

An open source method has been released by CIVIC: http://www.civicuk.com/cookie-law/index as a bid tp set a common approach or at least iconography.

over 4 years ago

Avatar-blank-50x50

Chris

One issue with all these solutions is that they give a sense to users the site is doing something it wasn't doing before and that may encourage opt-out. Enhanced notice and implied consent I agree are therefore better solutions because they take more account of historical context and the fact that many people have already been interacting with these sites in these ways previously.

over 4 years ago

Avatar-blank-50x50

Khaleel

Oh please, how annoying and how backwards. Compliance seems to suck. Think I will stick to implied constant. Last 10 years.

over 4 years ago

Avatar-blank-50x50

George Marshall

This legislation and its implementation is a complete shambles. The year's grace has been largely pointless as we have hardly moved on at all.

You start with a massive problem in that most internet users surf the Web totally oblivious to cookies or what they do. As soon as you start flagging them as an issue, many will simply run a mile.

Equally, many small internet businesses have no idea how to implement a solution - some probably don't even know they are using cookies on their website.

And this legislation was drawn up in the first place by the equally clueless.

over 4 years ago

Avatar-blank-50x50

James Doman

Hi,

Thanks for mentioning our post, Carlton! The post, for anyone else wishing to read it, can be found here:

http://www.predictiveintent.com/2012/02/cookie-law-solutions/

What really annoys me, is that there are no single solutions which do the job in a nice and easy way. Each one has particular pro points, but almost each one lacks total compliance and/or a smooth user interface.

Surely, it can't be that hard to do! Might have to look into getting one built myself...

over 4 years ago

Avatar-blank-50x50

Matt Stannard

Very good points - yes the ICO does state consent can be implied and for me this works well until someone argues the case that had they known information was being stored they may not have interacted with the site.

What was very interesting was the research carried out by PwC on behalf of the DCMS showing the majority of people were unaware of what Cookies were which justified the need for change and that a lot would be happy to pay their ISP up to 75p per month to handle Cookies for them!!!

Personally, I would like to see better awareness rather than "opt-in" with sites being open and transparent to the user as to what and why they store data, perhaps though not to the same degree as is applied to telephony where most calls start off "This call may be recorded for training purposes!". Definitely in my view the Browser is the thing to handle this.

The ICO website incidentally has one of the mechanisms implemented http://www.ico.gov.uk/ and there are a few jQuery implementations which prevent Google Analytics unless Opt In has been given.

over 4 years ago

Avatar-blank-50x50

Richard Beaumont

You can see the approach taken by the Cookie Collective on these sites:

http://www.cookielaw.org/
http://governor.co.uk/
http://textor.com/

This bar displays a basic message by default, then 'More Info' leads you to an expanded categorisation of cookies on the site.

We think this level of information is really required to inform users - your examples above do not go far enough.

On the issue of third party cookies, the third party is invisible to the user, and therefore it is really the website they are visiting, not the one setting the cookies, that has to gain consent.
The website owner chose to put the third party scripts in place - so they are responsible for them.
What is really needed - and will be difficult - is a change in the relationships between website owners and the providers of third party cookies - so those providers will need to reveal what cookies they have and what they do to website owners - so they can become compliant. Otherwise, people will start chopping out their third party scripts.

over 4 years ago

Avatar-blank-50x50

Rob

Love this post and how it explains actual ways online retailers can address this situation. Personally, I think web browsers need to play a huge role in not only the EU cookie law, but any behavioral targeting initiative of a website. We also welcomed Angus Glover Wilson who wrote a guest blog post for us: http://monetate.com/2012/02/the-facts-about-the-eu-cookie-law-and-7-ways-to-prepare-for-it/

over 4 years ago

Avatar-blank-50x50

Meriel Lenfestey

The messages given to users need to be far more user centric. They need to communicate what the cookies are providing, in terms of the user experience, without the use of any jargon or technical language. Not easy but necessary. There are ways of doing this in a far more reassuring manner.

In terms of compliance...

I don't believe these solutions are compliant. They don't state what cookies are used for sufficiently to qualify as "informed" consent.

Some of the people commenting here need to be aware that implied consent is NOT legal. On the contrary, the ICO states that until there is a greater public awareness of cookies and what they do, it is too early to use implied consent solutions. Admittedly they go on to suggest an implied solution, but the guidance doesn't make it legal. I would only consider using implied consent (or delayed consent) for very low intrusiveness cookies - but remain aware that it involves some risk.

1st / 3rd parties...
The primary domain is the one responsible for gaining consent. I.e. if I arrive at site X and it includes functionality which requires 3rd party cookies to be set, site X theoretically needs to gain consent. This is an area the directive is particularly concerned with so I'd suggest making very sure the solutions are compliant here. No implied, no delayed, plain english.

Design approach...
The rule I've been giving our clients, based on our research, is that consent needs to be the path of least resistance, or most people simply won't give consent. As consent is not sought now, this effectively means not giving consent must become harder! This makes for an interesting design brief.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Richard,

It is "difficult" but we have sorted it. CookieQ eliminates the need to remove 3rd party content or reach agreement with content providers about PECR compliance.
We offer a ThirdParty button which can register a visitor's opt-in status for cookies from that provider, which they may have given at any site.
In the same way as our standard range of 1st party buttons always reflect a visitors opt-in choice, and respects citizens by letting them withdraw or give their consent at any time, our Third-Party button does not present the 3rd party beacon or script unless a visitor has opted-in.

James,

We feel our site does enable compliance in an "easy way". Here are a few of the many sites of customers who have chosen to use CookieQ.
Unlike others, we have not included any of our own sites, and we are already fully operational.
BTW we DO link to the customer's description of what cookies they use, which can be as technically detailed as they want. Our Cookie Audit scanner can generate an exhaustive list of them.

http://lifebookphotography.com

http://wynsdale.co.uk/

http://rbl-stage.dev.plan9.co.uk/

http://www.briarcopywriting.com

http://therubymarketers.com/

http://markemeryphotography.com/blog/

http://www.northern-ireland-insurance.co.uk/

http://just4safetyblog.com/

http://www.taxiinsuranceblog.co.uk/

http://wwbooks.net/

http://www.kidsweek.co.uk/home/home/

http://insightfulminds.co.uk/

http://www.americanmotorhomeinsurance.co.uk/

http://www.builda-website.net/test-page.html

over 4 years ago

Avatar-blank-50x50

Ian Scarr

Our approach at SiteTagger has been born out of discussions with our customers on how they were approaching the problem and who or how would it be best to control the cookies being set.

What others have rightfully mentioned in this article is that there needs to be an educational approach between now and the deadline day and there are a host ways to do this. Your website, email subscribers, surveying and direct mail are all ways to reach out and tell your customers that things are changing.

What is clear each site owner must take responsibility for compliance and for education as the ICO and media are not helping at present? Sitting back and not doing anything is risky, doing something about it is risky, but its mitigating any risk to your business which is the most important thing to consider and demonstrating how you have complied to the ICO if they come knocking. Who wants to be a test case.

For an example of how this works take a look at our own website www.sitetagger.co.uk to see the Privacy Centre in action.

over 4 years ago

Avatar-blank-50x50

Teja

After conducting an independent investigation through our cookie database at CookieCert it is clear that most of the top tier sites are not attempting to achieve compliance any of the methods described here. Most (so far) are just ignoring the problem entirely, showing us how much of a shambles this whole thing is.

Additionally the solutions provided by many of the comment authors in this discussion thread are technically lacking in ways that will become apparent as the situation evolves. For example, no solution presented here detects Flash cookies or HTML 5 cookies, which are going to become more and more of an issue as those techniques are adopted by more and more sites. Certainly the law encompasses these "super cookies" within it's generic description.

Throw in the fact that advertising revenue fuels the free Internet, and all networks drop cookies and there is nothing you can do about it as a site/publisher, and you have a law which will probably never see the light of day in terms of widespread implementation.

over 4 years ago

Avatar-blank-50x50

Teja

For the interested reader also we have a complete list of audited sites along with an indication of whether they are yet compliant with the EU cookie law. It contains thousands of sites, and most are probably not compliant. Useful resource for anyone looking to see the status of a particular domain:

http://www.cookiecert.com/news/cookie-law-compliance-status-feb-2012.php

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

It is a very simple choice between increased bounce rates and massive loss of data, analytics, CRM, cross channel attribution and targeted advertising.

If you are not a direct sales site which sells a high number, low profit single engagement product then I suspect that you want to be overt about this.

Stop looking for workarounds and bite the bullet - it is not as scary as you think and a staged approach is easily developed.

I am proud of the work we have been doing with privacy sliders and selection methods, but the basic answer to everyone's questions are generally fairly simple once we understand the individual business requirements.

I have yet to come up against any real issues with this legislation which were not in the minds of a client and yes, it is sometimes easy to forget one is an expert, but even then I am comfortable saying that we can always find the right answer for any site.

TL;DR: stop over complicating things and looking for sly tricks. Accept the law and consider the reason for it and this is not a scary prospect.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Teja (CookieCert),

I strongly disagree with most of your points.

The law has already "seen the light of day", and has overwhelming backing from citizens across Europe. Many in the US look to Europe to lead the way on privacy.

Our standard solution removes all HTML5 local storage 1st party cookies and our ThirdParty service stops all 3rd party cookies and tracking techniques, unless visitors have opted-in.

We have Flash cookie removal working in-house and it will be supported as standard in a forthcoming release.

What we do think is ignoring the issue is pointlessly assembling a "database" of cookie names. The name, subkey and value of a cookie can be changed by the programmer at any time,and can even vary between visits from the same browser. Some tracking applications may have constant name components but many do not.

As for advertising "fueling the free internet", as Henry Ford said, there is no such thing as a free lunch. Advertisers are perfectly capable of using their ingenuity and skills to help brands ecommerce sales without relying on covertly tracking people. Some thrive on doing so.

As you would realise if you actually examined our technology we do take this seriously. We are committed to helping any web publisher to get it right and have been entirely focussed on addressing the PECR since 2010. We now have a solution that can lets publishers keep 3rd party content and ensure their visitors can choose to accept 3rd party cookies or not.

I agree there is much white noise out there however which only confuses publishers.

over 4 years ago

Christopher Rose

Christopher Rose, PPC Marketing Director at Rose Digital Marketing

As the owner of several sites, I am left feeling bewildered and unable to cope.

I know my sites are setting cookies but I have no idea how or why, nor - apart from standard Google Analytics information - am I getting any data from whatever cookies my sites might be setting.

As I don't even know how my sites set cookies, how on earth am I supposed to deal with this directive?

over 4 years ago

Avatar-blank-50x50

Mark Steven

Cookie Control - http://civicuk.com/cookie-law - takes an approach similar to that of the second example in the post.

It's not a magic bullet: you still need to get your head around how cookies are working on your site and that can be a headache in the short term.

It's actually a good thing that we now need to understand what it is about our sites that is likely to compromise our user's privacy.

The ad networks have now had around 18 months to comply with the legislation. They have absolutely failed to provide compliant solutions and are still pushing for non-compliant, opt-out solutions. These guys simply aren't helping us - and personally I think it's time they did.

@Christopher, our colleagues over at Attacat have developed a handy tool which helps document cookies on your sites: http://www.attacat.co.uk/resources/cookies. If you need a hand evaluating Cookie Control we're happy to help.

over 4 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

Thanks for all the comments, some interesting views.

I think, as Manley and Mike say, whatever the rights and wrongs of the legislation, it's time to come to the realisation that it's happening, and find the best solution to comply.

I like the idea of a solution which provides absolute clarity for site users - tell them what cookies are being used on your site and why.

over 4 years ago

Julian Felstead

Julian Felstead, MD at 1Job.co.uk - Direct Recruit Ltd

Err excuse me what is this law for? I mean really what is this for?

Why not just have a seal on all new PC's and Mobiles that says - danger if you use this equipment then someone somewhere will try and collect data about you and they may even try and sell you something.

Pandora's box was opened a long, long time ago.

Shutting it.... well is that really possible?

over 4 years ago

Avatar-blank-50x50

Paweł Banaszak, Owner at Nordcomm Consulting

If you look at a broader European perspective you'll notice that the way the rules are implemented differs largely from state to state.
For example here in Poland the (so far) draft regulation says that consent is implied and an opt-out solution based on the browser options is enough. As far as I know Poland is not the only EU state which interprets the directive this way.

over 4 years ago

Alasdair Wightman

Alasdair Wightman, Digital Analyst at So What Analytics

Mike,

I would question your point that the new law has the "overwhelming backing of citizens across Europe". I doubt whether 5% of the EU adult population knows about this law let alone what it precisely means. But I would agree you can't just sit there and do nothing.

The key problem we have is the law is far to broad which is leading to much confusion. Is capturing anonymised GA data the same as individual 3rd party ad-tracking across multiple sites? No of course its not. However we can't just blame the EU and the ICO.
Ultimately we as a digital marketing industry have failed to properly get involved at an earlier stage to critique and shape the law to make it more relevant and specific to the different forms and levels of data capture.

However I still think there is a chance for us to set practical precedents in implementations which may not comply to the precise written law but will be acceptable to the ICO and to the general consumer. I believe in particular there is still a chance for sites that just use GA or similar anonymised analytics data to try and use an implied consent model with makes clear that no personal data is being captured. That doesn't mean you can do nothing but if you are pro-active I think you could avoid the 90% data loss the ICO site experienced.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Hi Alisdair,

GA co-opts the publisher's domain to put a 2 year persistent cookie with a visitor unique value down. This is available to the publisher and any 3rd party script running in the domain. It is also sent in an Ajax call to Google. This value can be used as a key that can index any PII that is held by any of these players, including Google who may hold Google+ PII etc.
In what way can this be said to be "anonymised"?

This law was was subject to a lengthy democratic process and debated both in the European parliament and in parliaments of member states. In the European parliament it had majority backing across the political spectrum, and many polls have shown that the huge majority of citizens do not want to be tracked without their consent.

BTW CookieQ has support for Google Analytics so that optionally even when the __utmX cookies are deleted (which they if visitors have not consented to them) a unique visitor indication is signalled.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@All Lots of good points here. I would just echo Meriel's comment that "implied consent is NOT legal" so those people saying they'll stick with implied consent are kidding themselves.

@Mike O'Neill. I looked at some of your sites and your solution is certainly easy to see and is clearly opt-in rather than opt out so looks 'compliant'. However, in none of the cases I looked at was I even mildly tempted to opt in for the cookies (and I understand what they are and their benefits). I'd be interested to know what your opt-in rate (as a % of unique visitors perhaps) is? I'd guess below 10%?

over 4 years ago

Adam Tudor

Adam Tudor, Senior Digital Marketing Manager at The Black Hole

I don't think this has been posted here but will share it -

http://www.pcpro.co.uk/blogs/2011/06/23/how-new-eu-cookies-rules-could-decimate-web-advertising/

An interesting indication, if the reality is anything close then online advertising revenues will be expecting a sharp fall in the coming months.

I think a lot of major companies will resist this as long as possible (obviously, why make things harder for your customers?) and I doubt we will see any of them implement anything before Q3 / Q4 2012.

I am hoping that internet browsers will be able to sort this out longer term, with tracking options needed to be stated and accepted on install or load up(accept all cookies?). I can't see a world where accepting an additional click on each and every website I visit will give me a pleasant web-browsing experience.

over 4 years ago

Alasdair Wightman

Alasdair Wightman, Digital Analyst at So What Analytics

Hi Mike,

What you are describing there is a misuse of GA not an actual issue with GA itself. The Google Analytics Terms of Service are very explicit about not trying to connect PII data with GA:

"PRIVACY . You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties' website(s)) with any personally identifying information from any source as part of Your use (or such third parties' use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data."

I can't prove this statistically but I strongly suspect most businesses in the UK who use GA are not connecting any PII data to their GA accounts and are purely using the data captured on an aggregated and anonymous level. Which leads to the question why punish the majority of honest businesses for the actions of a few.

Quite rightly if a business is trying to connect PII data with GA they should be stopped from using GA and prosecuted if they have broken data privacy laws.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Hi Ashley,

It was much higher than 10% last time I checked, but that was possibly not a representative sample as people are playing around with it. I will get back to you with a more accurate figure.

We have had only positive feedback from our customers, many of whom have been using it for several months. The look & feel of our buttons, banners and panels etc. is customisable. Customers can supply their own style sheet files and design, size, shape, fonts, colours etc. are all changeable.

Remember that cookies "strictly necessary to supply a requested service" are fine, and we have an API for that. I expect that publishers who need to use non strictly necessary cookies may want to give their visitors incentives to agree, and we have support for that also.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Mike Would be very interested in any data you can provide but it sounds encouraging.

over 4 years ago

Avatar-blank-50x50

Mike O'Neill

Hi Alisdair,

Thats true but others, not party to the GA agreement, can still use the cookies.
Publishers often place references to external script files on their pages. They do not always know exactly what this script does, and in any case may be upgraded later without the publisher's knowledge to include new functionality. This script has access to all cookies in the publishers domain - including ones where the name component is set to __utma.
The author of this script can send the visitor unique value via Ajax, where it can be linked with PII, and they will never have had to agree a contract with Google. They do not have to place their own cookie so may not fall foul of the PECR(some say they still would though).

I agree with you that small businesses are having to bear the brunt, and should have been made aware of it and given more detailed advice earlier. We developed our technology to help them deal with it.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

This 'Cookie Law' issue seems to be unnecessary bureaucracy / red tape that keeps Whitehall types in a job.

This is not a 'light touch' regulatory approach - it is bureaucrats getting involved in ordinary day-to-day website running, paid for by the taxpayer. It is a fundamental abuse of what taxes for - and it is 100% unnecessary political interference in business life.

I feel, @Ashley, you are kowtow-ing to the push from 'Whitehall' though I think you are merely reflecting anybody else's capability or belief there is much we can do anything about it.

There really should be more push-back from the eCommerce community. I have no idea why 'the British' rollover and allow this type of additional imposition on their workload by people who do not generate any wealth (merely spend taxpayers money implementing their ivory tower ideas).

I know senior civil servants who think eBay is full of only stolen goods; these supposed 'public servants' should not be governing the web. The world of eCommerce should do it ourselves - because it could do - and not end up paying people (via taxes) who know little about the commercial world.

mark.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

Thinking on this some more, this could be one of those areas we could do with effort or a campaign to push away unnecessary bureaucracy.

Perhaps we need a UK eCommerce / Internet body that lawmakers must liaise with but not dictate to; I just don't think it should come from quangos and politicians who have a vested interest in having meetings and lunches to discuss the commercial Internet.

This is one of those areas the Web community should have a strong voice about... unnecessary legal and political interference.

It is a nanny state thing, I think. We don't have to be treated like kids. Or maybe some people don't mind that?

over 4 years ago

Carlton Jefferis

Carlton Jefferis, CEO & Founder at Gettus!

If this could ever be described in terms of a hype cycle, we'd be heading down into a trough of disillusionment! Sorry, bit of a rant brewing...

Shouldn't we set aside the technical issues and relative merits of the law itself (or lack thereof!) because with the greatest of respect none of this really matters. What does matter is how real people out there sitting in front of their computers, tablets, smartphones and connected TVs feel about all this when it starts to affect them. Right now they're relatively (or completely) clueless and life goes on as normal. Come 20th May and the build-up period beforehand there will be much said about this and most will be misinformation, mass confusion and the usual Daily Mail propaganda. You know it's gonna happen.

If at that point we, as both an industry and as individual businesses, have done nothing to educate people and our websites are throwing up the modals, dropdowns and pop-ups which are all mentioned above and in the comments, I reckon we could be in for a pretty bumpy ride. People don't really care for options and checkboxes, nor do they care whether this stuff "improves our website". Why would a customer give a monkey's whether this improves your website? Instead, how does this improve THEIR experience?

Most people won't care for cookies unless they're ones they can eat but I bet they'll understand words like 'advertising' and 'personalisation' when used in conjunction with something to do with 'privacy'. Who wouldn't want to opt out of advertising? This is gold. Like an online TiVo or Sky+ that not only fast forwards the annoying ads but can actually kill them completely.

If we talk at them about this stuff they will switch off. Wouldn't you? If we engage with them in a creative, meaningful and honest way they may just get it. Utilise the right mix of persuasive techniques, such as Cialdini's principles of persuasion, and we could end up wondering what all the fuss was about.

I can't help but feel we're all looking at this from inside our little digital marketing bubble and completely forgetting the people that matter to us most; those people for whom the law's designed to protect. This is just the latest example of 'power to the people' and we'd all better get used to it as it's a one-way ride.

over 4 years ago

Avatar-blank-50x50

Stev Ideh

So many and varied comments, the user is left in bewilderment. Very little consideration seems to be given to customer experience in all of these. Any option that will impact customer journey will need to be well thought out and to me all the options advcated seem to be weighted more to compliance than the customer.

Considering that we all as customers will be impacted by this law, the ICO, the press and businesses will need to do more by way of enlightenment between now and May in order to reduce the impact on the millions of customers who are either unaware of cookies or the cookie regulation.

over 4 years ago

Avatar-blank-50x50

Russ

My view aligns with that of Alasdair. If a site is carrying or referencing a script that has the effect of being able to interrogate and use a GA cookie value, the publisher of the site is not only breaking his agreement with the GA Terms of Service but, more importantly, is also failing to explain to a user what such scripts are doing, and therefore is in clear breach of the PECR. The relevant bit of the law in this context is that the user "...is provided with clear and comprehensive information about the purposes of the storage of, OR ACCESS TO, that information" (my emphasised caps).

In this sense, and without being at all dismissive of the various solutions currently available, a simple box-ticking "Are you happy to accept these cookies?" approach, in the absence of further information, misses the whole point of the legislation, because the legislation is not just about 'cookies'. A publisher's ignorance of the presence or operation of such 3rd party operations (cookies, scripts, references, whatever) is no excuse IMO, and if this legislation forces publishers to be responsible for examining and knowing exactly what they are publishing, then at least it will have produced a positive result. Carlton's right: publishers need to get a lot more upfront and honest with their users about what is going on.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

You might be interested in the advice the IAB's Affiliate Marketing Council is giving to publishers. They've just launched a Consumer Transparency Framework: http://www.iabaffiliatemarketing.com/iab-affiliate-marketing-council-publishes-consumer-transparency-framework/ as part of a Five Point Plan aimed at handling all the issues associated with the revised Directive.

over 4 years ago

Avatar-blank-50x50

Rob Lorton

Healthy debates, all good.
My Board are certainly interested in what our retail competitors are doing, and don’t want to be the leading light example of best practice if nobody else in the sector is doing anything. Meanwhile we are looking at creative executions and technical solutions to meet the letter, and spirit, of the legislation and ICO guide by the deadline. I choose my words carefully.

IMHO I reckon the ICO has no wish to get involved in policing this, other than protecting the public from the real baddies (malware, viruses). But let’s face it, the legislation is a chocolate teapot for that, just as TPS protects me from offshore call centres. But seeing as the EU is driving this, gov.uk have no choice but to act. That said, I believe the ICO December guide is well written: deliberately not overly prescriptive, yet pragmatic, realistic and suitably vague. Doing nothing is not an option. Neither is taking implied consent for all tracking & cookies.

Ad retargeting is a good recruitment tool for us, and some fears are being played out: a) one big retargeting partner seems fairly clueless on the legislation changes. b) there’s an important marketing job ahead to *sell* the benefits of 3rd party cookie & tracking to our visitors. Again, I have yet to see any moves on this from our partners.

Rather than tricking visitors into opting in, I am looking to all 3rd party retarget advertisers out there to help vendors sell this concept to their visitors. Considering it’ll be life or death for their industry, they need to get on it quickly.

Echoing @Steve Ideh above, and as pointed out by the ICO, visitors are largely ignorant about cookies and tracking for now. If the tabloids decide there’s a sensationalist paper-selling frenzy to be had, we’re in trouble. We all need to be proactive in educating our visitors about what, how and why along with the opt-in solutions. But OTOH I feel it’s counter-productive having reams of minute detail on actual cookie content (aunty Beeb please note).

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Mark I agree with your sentiment. The problem is that it's a bit late now to protest as this is already law. It also comes from the EU so the ICO in the UK has to enforce it despite the fact that privately, I sense, they disagree with it. As I've said many times before I think this has been politically pushed by the French and Germans who have much more stringent media laws than the UK anyway.

I'm intrigued that Google seems to have been quite quiet in all this. They have been active on other fronts (e.g. SOPA in the US) and have the political and financial clout to wade in. Recently, of course, they've been 'busy' with their own privacy changes. But no mention that I'm aware of on their stance as regards this EU directive and use of cookies. My guess is that they will deem their recent changes 'enough' whereas I would interpret them as implied opt-in rather than active consent.

I'm somewhat torn about what Econsultancy should do on our own site to be honest. On the one hand we should exhibit 'best practice'; on the other, I disagree with the whole thing in the first place so perhaps we should 'protest'. Currently we have no plans in our development pipeline to address the issue and the deadline is fast approaching. It's very tempting to just do nothing and see what happens ;)

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

Maybe we could organise a petition and letters to MPs etc from the industry?

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

And I meant to reply re: @Carlton who said: "I can't help but feel we're all looking at this from inside our little digital marketing bubble and completely forgetting the people that matter to us most; those people for whom the law's designed to protect. This is just the latest example of 'power to the people' and we'd all better get used to it as it's a one-way ride."

What 'people power'? What do they really need to be protected from? This is driven by self-ingratiating politicians, anonymous civil servants and anti-commercial sentiment... there has been no mass public demand for this approach to cookie regulation. A great deal, I'm sure, is a waste of time and money (time and money we can all do without losing).

While an open and transparent approach to cookies I'm sure should be supported (and I'm all for reining in the criminal, immoral and plain greedy), there is no need to foist it on to an entire industry and threatening legal action the way it has been; this is the EU / UK legislators way of doing things.

To be frank, this whole matter could have been better and more economically handled by working with the browser companies and organisations. But there you go, bloated legal and public servants in the corridors of power need to justify their salaries and set up a taxpayer-funded regime to police us naughty schoolchildren.

As for saying we work in a 'digital marketing bubble', that's plain wrong. The Web is a major commercial global industry generating enormous (and growing) revenue for the economy that deserves a little more respect, not belittling or being treated like some kind of errant group of young layabouts.

over 4 years ago

Carlton Jefferis

Carlton Jefferis, CEO & Founder at Gettus!

Hi Mark. You may have misjudged my sentiment. We're on the same side but looking at it from opposite ends of the spectrum. I'm not debating the merits of the law itself as that now seems futile given that it's actual law. The time and place for that was eons ago when EU got their grubby mitts on it and we all laid down and let them shaft us. For what it's worth I think it's a ridiculous law.

Our industry could have lobbied and self-regulated but it didn't, and who would have been the first to step up and say we need to do something about cookies and privacy when everything was going so swimmingly? It's a little like the banks all deciding they won't do sub-prime mortgages in 2005; those 'in the know' realised it wasn't sustainable but no-one wanted to be the first to stop it for fear of impacting sales.

I'm merely pointing out that the vast majority of comments above, including most of the original blog post itself, present no real consideration as to how this experience plays out in the mind of the user who is sitting there, completely baffled by these pop-up thingys (that weren't there on 19th May) telling them stuff they have no clue about.

Browsers settings could still provide a number of solutions but as pointed out in one of the comments above they could actually make matters more difficult to encourage users to turn stuff on that by default is turned off. We wait and see.

My remark 'power to the people' isn’t suggesting it's demanded by the people at all. 'People power' is something different. But if you doubt this view just look at what UK Gov are doing right now (whether you agree with it or not) with the Consumer Empowerment Strategy and Midata initiative. This is a crystal clear signal, if ever there was a need for one, that governments are gradually facilitating a shift of control away from commercial organisations towards people.

Again, make no mistake about my sentiment. I'm not belittling our industry at all, just suggesting we look at the subject from a different perspective. I think whole thing sucks but we need to bite the bullet and get on with it.

over 4 years ago

Avatar-blank-50x50

Ollie Phillips

Another opensource approach here which employs the warning bar approach.

http://cookiesdirective.com

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

The chorus of disapproval from us seems huge but I'm not aware our industry has communicated the strong opposition, pointlessness etc to this law in strong, unified fashion. We really should be more organised about something as unhelpful to the Web as this legislation.

Thanks for clarifying @Carlton - my frustrations are at the law and legislators not individual views.

What is a farce at this EU / UK law is that it is creating unnecessary extra work for everyone when the bigger issue is to get the economy growing. We should not be doing this cookie law implementation now - we've got to get money into our companies and pay ourselves etc.

Let's think about this cookie law matter again... Why do we have to have layers appearing in front of our websites? That's not the case for TV - we can't press the red button and choose not to watch any adverts. Ditto with radio. And we can't stop newspapers advertising to us.

Why decide to beat the Web this way? Why are we letting f faceless bureaucrats do this to the Web?

Think we need to be better organised and vocal, lobbying in the name of common sense.

These overpaid bureaucrats (funded by public money) seem to have practically nothing better to do with their time when there is more they could be doing elsewhere (better tackling world poverty and stopping wars, for instance!).

Maybe they see the Web is a threat to normal business and political process (it's certainly more democratic and involving than offline government and business)... and it listens to and responds to people and customers more closely.

I still think the answer lies with better cookie control via browsers instead of wasting huge amounts of time and plain insensitive, crass legislative sabre-rattling.

I'm incensed these legislators are using the law as a weapon against this progressive and, in the main, relatively peaceful industry. How dare they threaten and beat us... For a start, all good businesses knows the carrot approach is better than a stick. It just shows how poor is the state of government in this day and age. Can't manage their way out of a paper bag most of the time.

Honestly, politicians do themselves no favours pursuing law-abiding people and organisations this way. They should be ashamed of themselves for allowing it - and we need to stop them doing it.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

A key issue that is being overlooked is the unnecessary extra work for everyone when the bigger issue is to get the economy growing. We should not be doing this now - we've got to get money into our companies and pay ourselves etc.

A key issue that gets me is the (probably mostly) unnecessary extra work for everyone when the bigger issue is to get the economy growing. We should not be doing this now - we've got to get money into our companies and pay ourselves etc.

How we have let overpaid faceless bureaucrats dictate we should have layers in front of our websites, I don't understand. Why is this so important to these numpties? Because it's a threat to vested offline media and business interests, probably. That is the corrupt (or inept) face of EU / UK politics today.

Think about the basics here: We don't press a red button to stop TV adverts. Ditto for radio, and we wouldn't stop newspapers advertising to us.

Politicians do themselves no favours enforcing this crass, insensitive cookie law, beating a peaceful, law-abiding industry with sticks when all good businesses know carrots are better than sticks.

mark.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

@Carlton - appreciate your explanations; it's the law and the legislative process that is simply out-of-date, old fashioned etc. It, and people within it, aren't keeping up with the modern generation.

over 4 years ago

Julian Felstead

Julian Felstead, MD at 1Job.co.uk - Direct Recruit Ltd

What Is Likely To Happen… and How This Law Makes The Privacy Situation Worse Not Better:

(Hey follow me on this - I know it is a long post.................. )

I have spoken to a lot of ordinary people about this to try and find out how they would react to complying sites, and this is how I believe things would pan out over a pretty short period of time:

1. Assuming all or most sites comply (this may be a big assumption in the first place of course).

2. Windows appear on many, many, sites checking if people will accept their sites cookies.

3. First reaction for many people will be to click ‘no - do not accept cookies’ – why accept something that potentially is to do with your privacy?

4. Sites will then either: not work well at best; not work at all in many places; or maybe the site owner will not let the user onto their site at all.

5. Most users will then, over a short period of time, start to accept all cookies on all sites.
(This is like people always accepting T&C’s wherever they occur. We happily tick the box every time it appears don't we? Hey... have you read and understood the new Google T&C’s for instance or did you just accept them? )

6. Now at this point we are accepting all cookies everywhere we go. And of course because of this maybe even more potentially ‘evil’ cookies.

(In fact doesn't this encourage site owners to put any types of cookies onto their sites when they know 99% of people will be accepting cookies everywhere, everytime...)

7. Finally… would you ever go to your browser and click ‘delete all cookies’? Quite a few people currently regularly choose to delete all the cookies on their machine. BUT would you want to do this if it meant going back to the first state of having to accept cookies again on all the sites you visit? I don’t think so.

In fact the ‘delete all cookies’ button on my machine better now start to have a warning saying "are you sure you want to delete all cookies? You will mess up the internet again for yourself".

8. Result our computers are full of cookies. Plus, most likely, a lot more ‘evil cookies ’ that can track you and do all the sorts of privacy stuff and dodgy stuff you don’t want!

QED the result: This privacy law makes the situation worse NOT better.

This law ought to come into being not in May, but on the 1st of April – Isn't that the most appropriate date for it?

Do people agree with me on this?

P.S. The picture of me is not correct - I don't actully look like that. Just thought I ought to say in case they bring in a law about misrepresentation of identity photos on forums anytime soon.

over 4 years ago

Julian Felstead

Julian Felstead, MD at 1Job.co.uk - Direct Recruit Ltd

What Is Likely To Happen… and How This Law Makes The Privacy Situation Worse Not Better:

(I have just re-written the longer post above - sorry it was so long I was writing as I thought it out......... )

Assuming all or most sites comply (this may be a big assumption in the first place of course).

Ordinary people I have spoken to say they will react like this:

1. Window appears about cookies: Choose not to accept them.

2. Site does not work properly or not allowed in at all. Tick box and accept them.

3. Visit other sites and always tick ‘Accept Cookies’ box. (Just like you do with T&C acceptance already).

4. Finally – never, never ever choose to click ‘Delete Cookies’ on your browser as this means you’d have to click all those ‘Accept Cookies’ boxes on all those sites again.

Final situation becomes:

99% users always click ‘Accept Cookies’ wherever they go immediately – how many times do you want to read about utm cookies etc etc..

Finally site owners you can now put any type of cookies you like on your sites. And ‘evil’ and dodgy site owners just do what you like and what’s more everyone has agreed and opted in to accept your ‘evil’ stuff - perfect.

over 4 years ago

Avatar-blank-50x50

Depesh Mandalia, Head of Digital Marketing at Lost My Name

@Ashley I don't see a wide spread clampdown of 'non-conformers' come the end of May but I do see the possibility of looking for bad examples which the pen pushers want to make an example of. I don't think econsultancy would be one of them but major retailers and brand names would certainly be the focus of attention with the intent of this being to scare smaller businesses into doing something.

I mean honestly how are they going to police this from the millions of websites out there? Ultimately its in the hands of the consumer to complain and I'm sure privacy groups will be on the hunt but what I see from this thread is that there still isn't a clear consensus of the boundaries of the directive and still further confusion on how to implement the protocol.

Sitting on hands and seeing what happens is what I imagine most small and medium sized businesses will be doing whilst others around them work on confusing users, trashing the user experience, losing analytics etc until such time as the directive is reversed or better clarity is placed on how to implement this better (ie. place control in browser or a more unified approach by the majority of sites)

Agree with @Carlton's view. Its happening, deal with it as best you can.

@Ollie that's a useful script, good approach - what's the uptake been like?

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Julian Yes, I think your theory might well be correct and this won't help users at all in the end. I don't think users read privacy policies or T&Cs on sites at the moment anyway? Apple have MASSIVE legal bumpf you have to sign up to almost every day (highly annoying) but I'm sure everyone agrees to it and no-one reads it. Just keeps the lawyers in work.

over 4 years ago

Avatar-blank-50x50

Russ

Given there have been more blogs on this subject than there are number of sites who've actually implemented a fully-compliant solution, even at this apparent 11th hour, reinforces Rob Lorton's view that there is a whole swath of big commercial sites who are waiting to see what their counterparts are planning to do.

As Teja (Cookiecert) has shown, none of the top UK 150 sites is compliant or is showing any outward sign of it as yet, and there's little doubt all of them are waiting to see what the others might do.

ICO's interim December 2011 report was characterised by a "must try harder" and "could do better" message, and the Commissioner stated "...there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there". It's therefore difficult to read the political runes of how ICO will view its enforcement role post May - 'trying to get there' covers a multitude of possible stances.

My experience with governmental agencies trying to enforce EU regulations they feel somewhat ambivalent about is that they will either go into an initial 'deafening silence' mode or they will simply sit back and see what kind of response the broad publishing market has taken.

The two main factors driving ICO in the immediate post-May months will I think be a complaints-driven strategy coupled with their ongoing desparation to see a browser-based solution (the latter becoming more and more hopelessly flawed and confusing in my personal view).

The role of the mainstream press will be pertinent in the context of ICO's response, but apart from the odd Daily Mail "Look what the EU are doing to us now!" response, I do not expect the subject to get much strenuous mainstream coverage, because the major players know they have a huge online problem themselves, and they are unlikely to break ranks.

I suspect few of the big 150 will rollout anything significant before the end of May. Keep an eye on auntie Beeb though - it's creative youngsters may be cooking up something very off the wall and, err, 'distinctive'.

over 4 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

@Russ - it was picked up by the Akismet spam filter (not sure why) but I've published now, thanks.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@ALL We've just sent out an email to all UK Econsultancy members to do a quick survey on this very issue given there's clearly a lot of strong feelings on it.

The survey is at http://email.econsultancy.com/t/4561013/266200/8763/0/ and closes this coming Monday.

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

Great discussion from everyone.

My first thoughts are that I really think that the 5-10% user acceptance rates which has been mentioned are way to high.

Sites which already have complied produce misleading higher statistics:

a) Because they are related to the industry and therefore frequented by advocates of tracking

b) Because they are a handful of examples of compliance mechanisms and are therefore blogged about and visited by industry people who want to see what happens to the code when you click 'yes'

I think real world user %s are going to be much, much lower. I would estimate 0.1% or lower.

Most people are suspicious of cookies, if there is no incentive to allow cookies than why would anyone agree?

Even with email sign-ups here the user benefits from offers in return for providing their email the sign-up rates are usually less than 1% sometimes way lower.

I agree with Alasdair that we haven't done enough about this as an industry and should still be doing more.

A very good case can be made, e-commerce is one of the few sectors still growing in the UK. Why would the government want to risk innovation, current / future growth if they fully understood the potential damage this could do?

Maybe we need to make our voices heard?

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Matt "Maybe we need to make our voices heard?" - did you read my last comment about the survey we've just set live? ;)

We should all do the survey so our voices are captured and heard. But it is a bit little a bit late! The trouble with us digital folk is a) we have the attention span of gnats (so anything regulatory is just *too boring*) and b) we leave everything until the last minute ;)

over 4 years ago

Avatar-blank-50x50

M Yates

No mention of the work being done by the World Wide Web Consortium (W3C) in the area of privacy, particularly in the development of Industry standards around browser behaviour and 'Do Not Track' functionality.
http://www.w3.org/Privacy/

If you have an interest in this area then get involved in the community development of fit for purpose standards with the W3C.

over 4 years ago

Avatar-blank-50x50

M Yates

No mention of the work being done by the World Wide Web Consortium (W3C) in the area of privacy, particularly in the development of Industry standards around browser behaviour and 'Do Not Track' functionality.
http://www.w3.org/Privacy/

If you have an interest in this area then get involved in the community development of fit for purpose standards with the W3C.

over 4 years ago

Avatar-blank-50x50

Rob

Does this all apply to emails as well. Do these now need a disclaimer on them and that there clicks are being tracked? It's actually more intrusive than web as you have their names as well.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

I've already referenced this above but the Affiliate Marketing Council has actually been on top of this issue for quite a while and it has really surprised me that other disciplines have sleepwalked their way through all the debate and discussion.

Thanks to collaborative efforts in the industry we set up an Affiliate Legislation Committee early in 2011 and devised a Five Point Plan that highlights the need for transparency and education. We also launched a Consumer Transparency Framework this week and are working on an information site and standard text for affiliates and publishers to link to.

We have also issued auditing advice and templates and have met with the ICO for ongoing feedback. Nick Stringer at the IAB has been particularly helpful throughout the whole process.

I'd urge you to take a look as this hopefully gives people an idea of the practical and pragmatic approach we're taking.

http://www.iabaffiliatemarketing.com

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

@Ashley

Absolutely! And I'd encourage everyone on taking the survey.

Thanks for organising that, I've just completed it myself which was what led me here (nice move!).

I'd be interested to hear on your plans for the results.

Agree it's late in the day, but my feeling is that if you could make the case to the right people (ministers) the ICO would fall in to line. What's more important, UK jobs or EU bureaucracy?

It would be interesting if we could put together a model of how many jobs / much revenue could be lost worst case scenario, if there were no tracking cookies at all based on all current uses. No more affiliate industry, reduced analytics, no more MVT, reduced SEO/PPC, the end of certain tech companies (or at least until they develop a no cookie solution). Plus lost revenues from clients themselves from lack on insight, reduced marketing ROI etc.

My senese of urgency is reduced slightly be the slow uptake in Europe. Many other countries have apparently already enforced this law, but there is a little evidence of that so far from looking at some big retailers.

I've spoke to one MVT platform about this and they've seen no impact on European clients since the law came in.

Still think it's important we get clarity on what's going to happen in the UK and make our position clear though.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Matt Over 300 respondents to the survey already which is good. Firstly we want to publish the results of the survey as soon as we can next week just to get it out there. I guess what happens after that will depend on the results and the reaction.

As far as I understand it the ICO *has* to enforce what the EU has decreed. So to go against it would be tantamount to political war with Europe ;) Although, given the whole Euro thing, we're pretty much on the sidelines of Europe arguably anyway.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Kevin Thanks for this. I think everyone has been agreed for quite a while about the need for a cookie audit, clear guidance on your site about how cookies are used. This is just common sense really and has been a legal requirement for a long time?

I think the specific challenge is in the change from implied consent to active consent and exactly how this should be implemented from a user experience point of view.

From what I know almost every site uses cookies that (if one is honest) fall outside the 'strictly necessary' category (e.g. is any web analytics 'strictly necessary'? Any ad serving? Any email-click tracking? Any search optimisation efforts?) so really all sites *should* get *active* consent. Just putting a bigger sign/link on your site isn't enough.

What the ICO might be able to do is to interpret either 'strictly necessary' OR 'active' consent in a way that is grey enough to allow a get out clause from actual active consent. Which is how it has been up until now.

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

@Ashley Sounds good, look forward to reading that.

I agree with your sentiment, now more than ever in history arguably, we should be/are putting UK interests above Europe. And there has been a few examples of the government doing that recently. But as you say that's going to come from the top, the ICO's remit is interpret the rules unless told otherwise.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

@Matt Clark - only half the EU's members have transposed the revised Directive into their respective laws. If you then consider the interpretation of the law on a sliding scale of 'explicit consent risk' to digital within those countries the UK is generally considered at the low end.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

'Informed' consent is the order of the day and I think a staged approach to this is sensible.

To be frank we've been torn within the Affiliate industry on how much work we should do on this. We're not in the business of behavioural retargeting, the area of digital that is essentially in the firing line in this whole debate, and this industry has been the one that has therefore had to be most proactive in pushing out their own initiatives.

Therefore whilst we want to show willing (and we should all agree that the ability to self-regulate is preferable), we also don't want to draw too much attention to our area of digital for fear of the assumption that our cookies are equally intrusive (which they're not!)

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Rob Good point on email. I hadn't really thought email, and email tracking, through. Makes life even more complicated!

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Kevin Do the ICO agree with 'informed' consent and a 'staged approach'. If they officially said, or say, that, then that is quite different from my reading of the Directive which is pretty clear on active consent being required. And a 'staged approach' would basically give us all a further get out clause to be 'working on it' ad infinitum?

Personally I think behavioural retargeting (and the area of online advertising more generally) is a tricky area and one where there is a real, and sometimes justified, risk of consumer backlash against 'stalking' etc. So this does need addressing though it is very tricky because no consumer will ever *want* this form of targeting I expect.

However the Directive as stands impacts all of us. If it had been confined to network-based advertising cookies/tracking then I would have had less of an issue with it (though, of course, this is still a huge issue for the IAB and its members).

over 4 years ago

Avatar-blank-50x50

gary orman

on the face of it, protecting our privacy seems like a good thing... but our real privacy isn't really being protected at all if search engines like google (or sites like yahoo groups) can allow 'private' member-only postings to be read by anyone including minors via the search engine cache.

secondly, in practice, I'm not sure we as individuals will benefit from this directive - it's seems to be an overly complicated law that may cause more hassle and confusion and loss of freedom, depending on how it's policed and enforced. Mostly likely overzealous ISPs will simply switch off your site willy nilly or close your account (and take your money) for 'non-compliance'.

How about a much simpler solution? Require all browsers to have a cookie/privacy protection & management feature built-in and set to 'fairly strong' privacy as default - and then simply let the user (us) decide how much personal info we want to give away, and to whom, and how often we want to be asked, etc.?

Then there probably won't be any need for this directive at all, right???

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

@Ashley The UK Government has stated that companies should seek informed consent.

By staged approach I mean we're looking at timeframes for various initiatives. We've provided information for clients on cookie audits alongside a set of FAQs. This week we rolled out the Consumer Transparency Framework for affiliates and publishers and next on our list is a standalone site that explains what affiliate marketing is and that can be linked to by anyone in the business.

Technically we are able to offer an opt-out but it's the subject of informed, educated consent (in other words explaining why digital advertising is good and facilitates so much freely available content online) that is the priority and is shaping the affiliate marketing approach at present.

over 4 years ago

Avatar-blank-50x50

Tim Gurney

Many months ago we released to solutions which should help companies with this problem.

http://cookies.dev.wolf-software.com : GA specific drop in solution.

http://jpecr.dev.wolf-software.com : a comprehensive multi site solution, with 4 different intrusion levels and 2 different display options.

Hope they help

over 4 years ago

Avatar-blank-50x50

Julian Taylor

Please clarify what you mean by 'The UK Government has stated that companies should seek informed consent.'? Should we seek specialist legal advice on the cookie law or what?

FYI the EU Cookie regulation is defined thus:

In full from DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL:

Third parties may wish to store information on the equip­ment of a user, or gain access to information already stored, for a number of purposes, ranging from the legiti­mate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive infor­mation when engaging in any activity which could result in such storage or gaining of access. The methods of pro­viding information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligationto provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these require­ments should be made more effective by way of enhanced powers granted to the relevant national authorities

The ambiguity from ICO seems to be around exactly where should this take place. Do you just have a Privacy and Cookie Policy page, as suggested above in which case the cookie can still be served onto the user's computer or do you operate a strict policy that no cookie can be stored without the user's absolute consent? Personally I favour the cookielaw.org route of having a JQuery-powered bar at the top of the screen that clearly provides site visitors with the information on the cookies stored and the ability to quickly and easily remove them if they so desire.

over 4 years ago

Avatar-blank-50x50

JCS

Quick question, we 'know' the rules around gaining consent, however what is the deal with proving that consent has been given or denied?

For example are we supposed to track (oh the irony) the point of which consent was given or denied?

Surely, without being able to prove whether someone consented or not the law is not worth the PDF it is created on?

I can see the arguments now "Oh yes Mr ICO, he did consent, I promise, he just forgot!"

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

How is this law going to be enforceable, really?

Using the law to develop best practice in this area is like using a sledgehammer to crack a nut (or cookie, rather!). It is the wrong way to go about developing useful change.

Site after site, filled with opt-in cookie messages will be worse than Windows Update messages, dialogue boxes - and Apple bumpf @Ashley!

@Matt Clark articulates a key point well - "Agree it's late in the day, but my feeling is that if you could make the case to the right people (ministers) the ICO would fall in to line. What's more important, UK jobs or EU bureaucracy?"

Many of us really do have work to do to generate revenue for companies, while the ICO, EU / UK governments seem to be fiddling while the Economy burns.

over 4 years ago

Julian Felstead

Julian Felstead, MD at 1Job.co.uk - Direct Recruit Ltd

Hmmm...

Further to my earlier posts above where I explain how this law will achieve a worse situation than we currently have in terms of privacy protection (because ultimately people will end up opting in to everything everywhere - loosing our rights - and this is effectively worse than the current privacy position where we have NOT opted in to anything.)

Is this a more practical privacy solution....

1. ICO introduces clear category 'type and purpose' guidance on cookies. Agreed with the industry.

2. They create, say, 3 categories say for cookie 'types and purpose'. In my example system below:

Category 1 - Harmless providing only unidentifiable info to the site owner;

Category 2 - [define?? - the not so bad useful to the user stuff];

Category 3 - [define?? - the 'privacy evil' stuff - ones for really intrusive tracking and the stuff that may not help the user etc. etc]

3. For Cat 1 Cookies: the users will not be advised on the site other than the cookie being identified in the sites privacy policy on the sites 'table of cookies'.

4. For Cat 2 Cookies: the users would need to be informed that they are going to be entering a part of the site that a Cat 2 cookie is likely to be used with a description of the purpose fo the cookie (this could be a link to details about the cookie and what it is to be used for). If the user continues forward then this could be taken as acceptance by the user.

5. For Cat 3 Cookies: where the user is entering a site or part of a site where a Cat 3 cookie is to be used then the user would be required to have the cookies purpose fully explained AND the site would require the user to positively opt-in (tick box).

Additionally I would suggest that for this potentially 'privacy evil' opt-in Cat 3 cookie it could(perhaps?) be made reversible i.e. every time a user visited the site where they had applied an opt-in they could choose to change it to opt-out. This might also include a requirement for the site to delete any privacy data relating to the users past data (if possible? - ideally).

The 'Cookie Police' and 'Private Privacy Detectives' could then police this.

Finally if(?) cookie types and purposes can be detected on sites then maybe this could also be used to create a look-up directory for both EU and non EU sites about their cookies and purposes.

Does any of that sound possible, sensible and viable to others?

P.S. Think positive - this should enable a lot of people to remain in work creating this stuff, expert consultancies to grow up on it, and teams of police to police it all!

P.P.S. This EU thing still a load of old hogwash IMO... and I bet ICO know it... anyway I've got to go and get on with my knitting!
:-)

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

Why doesn't someone draft a letter and get the top 100 e-com operations to sign it (I bet most are members of Econsultancy!) , highlight the collective revenue / jobs they generate (which will be £Bs) and explain in clear terms that this legislation jeopardises that.

Send it to the PM and Vince Cable and see what happens. There has been a lot of discussion about the laws, but I'm not aware of any kind of petition or collective communication so far, but it could actually be pulled together without too much effort.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

That's where my thought about a petition was coming from - and an open letter to national media / FT etc? I'll sign it. It's a useful approach that should ensure some decent media interest and give the issue some legs to ensure it keeps getting covered, legitimate questions are asked etc.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Matt/Mark I believe various trade bodies (e.g. IAB) have been busying lobbying and no doubt writing letters trying to aim for 'self-regulation' etc. I can't believe Google hasn't been lobbying behind the scenes too.

Let's see what comes out of our survey - 550+ respondents so far and it certainly seems the sentiment is pretty negative and strong!

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

Whatever the Directive states it is transposed or interpreted into individual country laws. The UK Government has provided its own version of what it feels achieves compliance.

From an open letter from the DCMS in May 2011:

"It is important that stakeholders are aware that in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (ie give consent) based on that information.

"Crucially, the requirement of the revised Directive is for informed consent. It is this requirement that has shaped the UK approach..."

I think we're at risk of missing what I see as the point: informed choices can only be made if the education piece is well executed, easy to digest and accessible.

Opt in or opt out are really misnomers as they are currently unlikely to be symptoms of informed consent (when was the last time you waded through indigestible privacy policies).

We have the ability to control the message - educate and then enable consumers to decide.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

@Ashley - it's not clear to me what others have done exactly (i blame the large range of websites to read through :-). Be good to round things up and know who are the main players lobbying, and get in touch with them. Some unity from all groups and (potentially) important people always helps these things... builds a strong, clear voice and message.

thanks - mark.

over 4 years ago

Avatar-blank-50x50

Clerkendweller

Yes, it's the law and there has been a period of time to consider, act and comply. The time to lobby was 2 years ago. But remember it is not just cookies:

* HTTP cookies
* Local Shared Objects (LSO) i.e. Flash cookies
* userData in DHTML Behaviors
* data in a Google Gears database
* data in an Indexed Database API
* local data storage in mobile applications
* HTML5 storage

...and anything similar that exists now or in the future.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

Whatever the Directive states it is transposed or interpreted into individual country laws. The UK Government has provided its own version of what it feels achieves compliance.

From an open letter from the DCMS in May 2011:

"It is important that stakeholders are aware that in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (ie give consent) based on that information.

"Crucially, the requirement of the revised Directive is for informed consent. It is this requirement that has shaped the UK approach..."

I think we're at risk of missing what I see as the point: informed choices can only be made if the education piece is well executed, easy to digest and accessible.

Opt in or opt out are really misnomers as they are currently unlikely to be symptoms of informed consent (when was the last time you waded through indigestible privacy policies).

We have the ability to control the message - educate and then enable consumers to decide.

over 4 years ago

Avatar-blank-50x50

Anna Bee

The law is ridiculous and only serves the purpose of confusing the end user and causing many small merchants to panic.

I run a couple of small retail shops if I had to ask for their permission to send them cookies there would be uproar as I would be getting emails asking why their cookies have not arrived!

The only users who care about cookies or even want to know what they are the ones who are are geeks and tin foil hats, and they would know how to disable them anyway!

We will have to reeducate a population on technical information that they don't care about but are likely to be initially frightened about in order to comply with a law that serves no real purpose as the use of cookies is generally practiced in most websites and are simply used to generate sessions, track affiliates and general site stats and are no threat to the user whatsoever in terms of data protection.

All the user wants to do is browse the web safely and all the webmasters want to do is have a site that works that they can improve upon. If it isn't broke don't fix it arrrgggg!

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@ALL We've just published the results of our survey on this. There is a new post at http://econsultancy.com/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey and the full survey findings at http://econsultancy.com/reports/eu-eprivacy-directive-survey

My favourite quote "It's a travesty of an orchestra, conducted by Terry Fuckwitt."

over 4 years ago

Avatar-blank-50x50

Phil Allen, Director, Digital, Wealth & Investments at Lloyds Banking GroupEnterprise

6 Things You Need To Know For E-Privacy Directive Compliance

http://phil-allen.blogspot.com/2012/03/6-things-you-need-to-know-for-e-privacy.html

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

p.s. I just came across http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ and their guide at http://alphagov.files.wordpress.com/2012/03/gds-cookies-implementer-guide.pdf which I actually think talk a lot of sense and I like their categorisation. I don't think this is compliant in the strict sense (nothing about active consent etc.) but is sensible!

We plan to 'launch' our own solution/compliance in the next few days I hope so we'll see what reaction it gets ;)

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

p.p.s. this site does a good job of implementation I think (and the company specialises in data/tracking):

1. http://www.magiq.com - clear link to the cookie/privacy stuff in the top right "Read about how we use Cookies & Privacy"
2. http://www.magiq.com/resources/privacy.aspx - privacy policy that is accurate and written in plain English
3. http://v8test2.magiq.com/P3P_Options.html - a page giving various options of levels of opt-out or (re)opt-in.

over 4 years ago

Avatar-blank-50x50

Russ

I have a question on how a specific 3rd party cookie set should be handled. To take the case of a tweet link, as given at the top of this page for example, would the cookie consent mechanism for this page need to prevent the loading of the tweet link until the consent had been given? And if yes, would you prevent the Twitter script from loading or the Twitter ahref link from loading, or both? (For the sake of simplifying the discussion of this operating principle, I am ignoring any blocking of 3rd party cookies that a visitor may have set in the browser.)

over 4 years ago

Anna Lewis

Anna Lewis, Google Analytics Analyst at Koozai

Hi Ashley, thanks for the Magiq examples, do you think that they have done enough to comply? I was under the impression you had to ask explicit consent? I hope I'm wrong!

If it is the case that you have to ask for consent, do you think you can collect any cookies before you ask? You would probably have to delete them if the answer is no but you really don't want to sacrifice all your traffic source data if you can help it!

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Anna

On a strict interpretation of the Directive then you are correct that I'd say Magiq are not compliant because their solution is really 'informed opt out' rather than 'informed consent/opt-in'.

However, my guess is that most people are going to implement this sort of approach i.e. clearer signposting of the privacy/cookie policy + more detail in plain English in the policy itself. Some will go a step further and provide selective opt-out options like Magiq have done.

Certainly the above approach is what Econsultancy plans to implement soon even though we don't think this is fully compliant.

over 4 years ago

Avatar-blank-50x50

Russ

@Anna

Collecting cookies before asking for consent to continue to receive them (the 'non-prior' approach) can provide for a less intrusive user experience, but is deprecated in the ICO guidance document, and I think such derogations ICO might deem acceptable would probably be only in the area of 1st party 'site-admin' cookies, whose time durations can be controlled by the 1st party publisher.

On the main issue of 'informed consent/opt-in' v 'informed opt-out', which was btw left completely unresolved at the conclusion of the EU Washington Conference a few days ago (the gulf between the camps seems as wide as ever), if the UK market tide is turning toward the latter, aren't we all lining ourselves up for a slapping from ICO? Or is a 'non-prior, informed opt-out' offering merely a tester to see how hard the enforcement winds will blow post-May?

I reckon we need soothsayers more than lawyers...

over 4 years ago

Avatar-blank-50x50

Depesh Mandalia, Head of Digital Marketing at Lost My Name

@Ashley et al: this is the best implementation I've seen to date, from BT: http://www.productsandservices.bt.com

A little pop-up appears bottom right (on first visit) and the subsequent screen is quite good at explaining in plain english what each level of cookie will (and won't) provide (though the slider implementation could be better and the pop-up isn't completely usable on a small laptop screen...)

There's a link from the cookie level selector screen to this page: https://www.bt.com/static/includes/globalheader/cookies/more-about-cookies.html which then allows you (the privacy connoisseur) to delve deeper into the cookie information. Nicely done.

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

That is very impressive, @Depesh, and is one way that Browsers could / should do it.

Sadly, other websites will do it different ways which isn't good, is likely to be very confusing etc.

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@ Ashley,

Thanks for the endorcement on www.magiq.com - We REALLY believe that the current legislation (whilst not perfectly formed) is absolutly heading in the right direction...

We always say to customers...

"If you break the law on privacy the minor issue is that you might get fined - the major problem is when your customers find out you are abusing their privacy and data they might just put you out of business!"

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@ Ashley

If you wish, we can implement our solutions that start opted-out, but (as noted) if you are going to remember someone is opted-out then the only real way to do that is dropping a cookie to do that, so I am not sure in pratical terms you are much further forward.

So, as you say I think we need to be pragmatic, and act "within the spirit of the law" - I think Glynn Davies "Government Cookie Crumbles" blog entry here demonstrates that they are comming to the same conclusion...

The important thing is not to stick your head in the sand, but to devise a plan that respects your customers - as my grannie used to say "Malcolm, do as you would be done by!"

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@ Russ
I think you're right in highlighting the 1st-party v 3rd party issue...

There is a whitepaper explaining our position in a little more detail here...
http://www.magiq.com/docs/Magiq%20and%20Cookies%20-%20v2.pdf

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Deepesh - thanks for that BT example. I agree, nicely done. Of course it isn't strictly 'compliant' in as much as "If you continue without changing these settings, you consent to this [all cookies]" so it is 'well notified' (rather than 'informed' one might argue) consent but not active consent.

@Malcolm - it seems to me that 'the industry' (us lot) are coming to our own conclusion/interpretation of what is right/fair within the spirit of the law... ;) No bad thing in my view. On your cookie point - I'm sure that dropping a cookie to remember cookie opt-out/in would count as 'strictly necessary' (purely operational) and therefore would be exempt anyway.

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@ Ashley
As you say, I think sanity prevails and we are all comming to the right conclusions.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Malcolm - maybe, but I'm not sure that's how the law normally works. "Yes, I know officer that's what the law says, but all of us here have a better idea..." ;)

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@Ashley,
Yes I know what you mean - but the ICO itself provides some guidance on this - to quote their December 'Guidance Doc', you can see where the government sites are drawing their decisions from:

"The Regulatory Action Strategy makes clear that any formal action must be a proportionate response to the issue it seeks to address and that monetary penalties will be reserved for the most serious of breaches of the Regulations meeting the criteria set out above. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Malcolm - thanks for that. Hadn't seen that before but very helpful and certainly seems to say that if you at least make the effort to point out your use of cookies clearly then you're very unlikely to face any action and even less likely for that action to involve fines.

over 4 years ago

Eric Crossfield

Eric Crossfield, Search and Navigation Analyst at John Lewis PartnershipEnterprise

@Ashley,
Is the new example at johnlewis.com what you had in mind when describing "the effort to point out your use of cookies clearly"?
A good information-phase solution.
From UX perspective, it looks like a best of class example of how it can be turned into a positive, well designed solution - but maybe I would say that!
http://www.johnlewis.com/Magazine/Feature.aspx?Id=567&intcmp=privacy

over 4 years ago

Avatar-blank-50x50

Simon Lande

An interesting consent solution went live very recently on Reuters UK; it's a hosted solution, which is managed by Evidon (a US company).

Go to: http://uk.reuters.com/ and in the fat footer, in the About line, click on "Ad choices" to see the "Cookie Consent Tool" pop up.

Opinions on this?

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@ALL In case you haven't seen I've just posted an article on Econsultancy's 'solution' to the EU Directive at http://econsultancy.com/blog/9453-econsultancy-s-solution-to-eu-e-privacy-directive-compliance - do let us know what you think in the comments there!

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Eric I reference the John Lewis example in my latest post at http://econsultancy.com/uk/blog/9453-econsultancy-s-solution-to-eu-e-privacy-directive-compliance (I've been in correspondence with one of your colleagues so knew it was coming). I think it's a good example, yes, and similar in approach to our own although the JL info section is very impressive in its comprehensiveness.

over 4 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

@Simon - It's not very easy to spot, but does at least provide some choices. I do wonder whether the language used helps the cause (geting people not to opt out) . I think the BT example here is a better solution as the wording does more to explain cookies to users.

https://plus.google.com/u/0/117981299390023696995/posts/L2XAdU2RaRm

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

A nice video about the BT implementation:

http://www.youtube.com/watch?v=ccSMykN2qsI&LordManley=Awesome

(This video is nothing to do with me).

over 4 years ago

Avatar-blank-50x50

Shonagh Woods

I agree with Julian Felstead. What is this actually for? Who is it actually going to help? Certainly not small businesses. The majority of internet users are not tech-savy and will shy away from any requests regarding accepting cookies as they simply will not understand the implication of doing so. What a waste of time and money. It's a given that the majority of websites use at least google analytics (or something similar)- have they really all got to implement an opt-in banner? As Julian said, just tell everyone in advance not to use the internet as it might mean you are going to be tracked in some way, and if you're not sure you want to be, then stay off the internet - which is, of course, ridiculous.

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

Come now, Shonagh, do you really think it is beyond our abilities or responsibilities to educate the user?

over 4 years ago

Avatar-blank-50x50

Steven Elsey

OK, I haven't read through all the posts here but it seems like the concerns are the same everywhere, and range from 'what a ridiculous waste of time' to 'we should all be responsible and implement'.

As a web developer with clients this effects, I have started to implement a solution on a few sites in the last month. These sites use Google Analytics, which happens to be the only thing generating cookies other than session cookies. The problem I have seen is that the visitor number stats have dropped by 95%. As I have no reason to think that traffic HAS actually fallen drastically, I can only assume that visitors are not opting in and therefore the GA cookies are not being added. My solution is similar to the ICO site, which I think will be most developers route to compliance.

I think this all points to the nub of the problem - user ignorance. The time, effort and cost to implement this law would have been much better spent educating web users on what they can do to protect themselves, through their browser and system settings. Instead we have a law that is ill-conceived, not fully understood, adds additional costs to businesses and penalises them if they comply.

I think when I talk to my clients about the lack of opt-ins they will almost certainly want to ignore the law, so it fails in that respect also.

As a responsible developer (I think!) I didn't think the law was an ass when I started looking into this but my views are changing fast.

over 4 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

Hi Steven, thanks for your comments.

I think education is key here - there is a problem with the public perception of cookies. They are associated with tracking, lack of security, fraud etc in some people's minds.

Our recent consumer survey found that 40% of people (who had previously said they knew what cookies were) though they were bad for the web.

http://econsultancy.com/uk/blog/9609-just-23-of-web-users-would-say-yes-to-cookies

While I can understand web users' concerns about privacy, and irritation with retargeting, there is a lot of ignorance about the value of cookies.

On the other point you made, 95% is a big drop - i'd be curious to see the opt-in mechanisms you have implemented if you'd like to share.

If the only cookies you use are session cookies and analytics, I think a strict opt-in option may not be the best solution. I don't think the ICO will be as strict about GA cookies as it would be for others (and web users are less likely to complain about them), so you are perhaps being too compliant.

For more on this, see our own solution: http://econsultancy.com/uk/blog/9453-econsultancy-s-solution-to-eu-e-privacy-directive-compliance

We have also just published a guide to compliance (free for subscribers)
http://econsultancy.com/uk/reports/the-eu-cookie-law-a-guide-to-compliance

over 4 years ago

Arta Abbasi

Arta Abbasi, Ecommerce director at fireplaceproducts

Thank you all for your comments , gave me a great sense of relief that i am not the only who think this is a ridiculous directive, so when we going protesting ???!!
look at all these websites (big names) done it in a very smooth way..its more privacy statement changing than a bar and giving the opt-out option to customers ..

guardian.co.uk

telegraph.co.uk

thesun.co.uk

hsbc.co.uk

rightmove.co.uk

argos.co.uk

lloydstsb.co.uk

tripadvisor.co.uk

autotrader.co.uk

amazon.co.uk

google.co.uk

ebay.co.uk

and all my competitors haven't done anything at all other than adding two three lines to there privacy statement so of course i done a same thing.
but if they want to enforce it there will be issues for all small businesses and i am sure we have to do something before they feel stronger about this directive !!

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

As you might imagine Magiq are really interested in this topic, and having experimented for about a year, and looked at all the examples the community has been good enough to cite, we have completed our solution which we are offering free to LifecycleMAGIQ subscribers and using ourselves - comments welcome...
see www.magiq.com or the release here on econsultancy
http://econsultancy.com/uk/press-releases/6369-magiq-launches-cookie-law-compliance-solution-to-keep-online-businesses-legal

over 4 years ago

Mark Chapman

Mark Chapman, Director of Client Strategy + Services at White Hat Media

I see the free anti-virus service from AVG offers a Do Not Track option now - http://www.avg.com/gb-en/do-not-track

As well as browsers, anti-virus software is another useful way to solve this problem without bringing in draconian laws.

over 4 years ago

Avatar-blank-50x50

Russ

As one wag on twitter has noted today, Opt-in is Out and Opt-out is In.

over 4 years ago

Avatar-blank-50x50

Julia Pendower

I think that there is one thing that is worth noting here: this is an EU Directive, not a Regulation. That means that country passes its version of the law but it has the capacity to include 'exclusions' or local interpretations. Thats why e.g. Poland and other countries can elect for 'opt out' solutions for consumers.. so while the UK has passed its version of the Directive into law, it does have the capacity to change things if they are not working.... so forming a coherent voice and lobby group IS worthwhile. Things (interpretation) can be changed; all national laws can be amended - so it would be worth getting together as a cohesive lobby group to find more workable solutions that address privacy concerns and lobby for change as/ where/ when it is needed.

Since non UK (or EU) sites dont have to comply with this, and the Google search algorithm has integrated both bounce rates and other measures, I wonder if the powers that be have realised the potentially devastating effects this could have on the UK economy... Small losses here add to the overall negative pressures on the Economy. e.g. EU competitors with more liberal interpretations of the law (simple optouts) but English translations may rank higher than thier UK compliant counterparts, and thus get more business - taking money away from the UK economy. Same goes for US hosted sites with a UK operational arm (i.e. global players). If we are going to lobby, then these are the terms we have to think and talk in. Money talks.

over 4 years ago

Avatar-blank-50x50

Julia Pendower

Sorry - I should add that given that some 70%ish of marketing spend is now online, and UK consumers increasingly shop online (which we all know) then anything that affects UK sites from gaining traffic and therefore conversions has an adverse effect on the UK economy. Given its fragile state, it could be worth getting some economics whizzkids to try and model the overall UK revenue effects of the proposed implementations to non-uk (but probably other EU) economies.

Also for a strongly internet driven business, what is to stop companies moving their 'operational' base in legal terms to anothe EU base and then complying with the legislation version in that country? I would suggest that if the economic impacts to companies are large enough, they will look to solutions such as this = corporation tax losses I think. I am not a financial bod nor an accountant, but it could be worth getting someone who is to look at this...

over 4 years ago

Ed Hockey

Ed Hockey, Global Search & Performance Media Manager at Unilever

Just to throw some recent experience into the ring (and apologies if this has already been noted) but I received an email from my bank explaining the changes to their cookie policy. Seems like a nice touch. Happy to share the email with anyone interested in seeing it.

*checks that bank account details are not on email*

over 4 years ago

Brian Clifton

Brian Clifton, Author, CEO & Web Metrics Strategist at Advanced Web Metrics

Lots of discussion been going on here that I missed first time round...!

I wan to clarify one point that was mentioned early on by Ashley:
"implied consent is not legal"

Actually it can be, as taken from the section entitled “Implied consent as a basis for compliance…” (page 6) of the ICO guidance document (PDF – v3 May 2012). Specifically:

“While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.”

As I discuss this in detail at:
http://www.advanced-web-metrics.com/blog/2012/06/11/google-analytics-and-the-new-eu-privacy-law-3/

almost 4 years ago

Avatar-blank-50x50

Nick Donnelly, CEO at City King

Has anyone ever been prosecuted for not following this law?

I think everyone should just ignore it - this insane law is destroying UX - confusing users WAY more than it's informing. It's a joke and if we call the EU's bluff there is no way they could possibly do anything about it.

10 months ago

Avatar-blank-50x50

Nick Donnelly, CEO at City King

How does it make any sense for *every single website on the web* to continually display the exact same message again and again and again.

Idiots who do not understand technology should stop legislating it.

10 months ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.