Cookie Compliance Act: How will it impact behavioural targeting and your business?by
8th Apr 2011
With new EU legislation coming into force next month, John D'Arcy of Foviance and James Milligan of the Direct Marketing Association explore the implications of the 'Cookie Compiance Act' and whether it spells the end of behavioural targeting.
You may have noticed the digital world panicking a little in the last month. On May 25th a new piece of EU legislation is coming into force which will limit the way websites collect data about their visitors and will restrict some industries in how they monetise that information. In particular the legislation is focused around website cookies.
Cookies are small snippets of code that sit on your computer and identify you to a particular website or advertising network. Currently cookies are used in a huge variety of ways from remembering what you just put in your shopping basket so that the product is still there when you checkout, through to targeting specific adverts to you based on your previous browsing habits. The new legislation says that website owners should be getting explicit consent from visitors for their data to be collected in this way, used at a later date or even sold on. In effect visitors have to say they are happy for cookies to be dropped on to their computers by websites.
The legislation has its origin in considering how brands and advertisers should be allowed to use data they collect about us consumers as we browse the web. Should brands remember information about the products we browse, news items we read, how we prefer to personalise websites? Should they be able to use that data to sell us other products and services? Should they be able to sell that data to third parties? What is private and how much of our browsing history should remain private?
The EU legislation is not designed to ruin the user experience of surfers, nor to impact businesses with waffly laws. Simply the EU is trying to get the digital world to be on a similar footing to the rest of commerce, advertising and marketing. The direct marketing industry has been coping well with data privacy issues for many decades and the digital industry needs to be able to say in a similar way that it is responsive around individual’s privacy and reactive to their needs with regards to any data collected about them. The impact of the web on our lives has meant we are much more connected than before but consequently those connections mean we are leaving a trail of activity in a huge variety and number of places. It is this paper trail that the legislation is trying to get to grips with.
The average consumer is happy to have cookies that support their user experience, e.g. remembering that I live in Stoke Newington and providing me with local news and weather. This type of cookie isn’t going to be impacted by the legislation because it can be argued they are required to deliver a specifically requested service. But when cookies are used for behavioural targeting it can be a bit more off-putting for the average person and this is where the legislation will really affect our industry.
Recently I’ve been ‘stalked’ by Clarkes and John Lewis adverts wherever I have been on the internet. This is because when visiting their site some weeks ago they dropped a cookie on my computer and shared that data with a third party advertising network. The network now uses that information to recognise me and fires me adverts for the same products I looked at last month. If these type of cookies are not going to be used it could mean the death of some new digital industries that were expected to drive the development of online advertising. Could this be the end for whole industries such as re-targeting, behavioural targeting or multivariate testing?
How did the legislation develop?
During the last 12 months a number of industry insiders have been working with the government to help define how the legislation should be implemented. The government has stated that not all cookies will be subject to the legislation. If they were then it would mean that we would need to be served with a pop-up window asking for cookie consent nearly every time we clicked to a new web page.
This usability nightmare scenario was squashed by the government but with a rather broad statement that the legislation does not apply to cookies that are ‘strictly necessary’ to provide an explicitly requested service. This generated a lot of argument that have not yet been satisfactory resolved debating if automatic settings in your browser would be enough or if sites whose existence that depended solely on advertising could be exempt.
The upshot is a rather sensible wait-and-see policy from the UK government. They have been working with advertising bodies like the IAB, EASE, ASA to review current uses of cookies and support moves by industries such as behavioural targeting to educate consumers and move to an industry standard for behavioural ads. By 2012 expect to see a small icon in any behavioural ad to show that it has used cookie data to target you.
But with the legislation coming into effect in a month what should you do next? Large brands need to get an idea of how pervasive cookies are on their sites and also how third parties which may be advertising on their site are collecting data and subsequently using it. If your advertising or media agencies aren’t able to give a confident response on how they are proposing to react to the legislation then it is probably time to look for another agency.
Since the autumn of 2010 at Foviance we have been researching what impact this legislation is going to have on brands and also how consumer attitudes to data privacy are likely to develop in the next few years. With the legislation in mind we developed a tool that grabs cookies from a website visit, analysing the type of data being collected by the cookie and rating this data in relation to how likely the legislation will impact it.
It has been fascinating and eye-opening to see the huge number of cookies that a typical website uses and the wide array of uses of these cookies. Using this approach we’ve been able to help our clients understand how the new law is likely to impact them across different types of cookies they use such as advertising, functionality and social media. I think it is fair to say that the impact of the legislation on large brands is going to be huge.
What about consumers? Most people think the internet is free and don’t understand that website owners need to generate revenue to support the delivery of content. Consumers also need to be educated in how data is collected, otherwise distrust will set in and people will never be happy to share their data. If that happens then slowly the amount of data and quality of that data that is collected through cookie technology will decrease dramatically. So, time for the digital industry to proactively engage and lead in the privacy debate.
John D'Arcy is practice director for analytics & insight at Foviance, a cross-channel customer experience consultancy to the world's leading brands. John has helped clients measure and optimise their marketing communications for over 15 years and is an authority on web analytics, data visualisation and statistical modelling. For information on Foviance's Cookie Compliant Audit click here.
Another view on the EU Cookie Act
From 25 May, all UK businesses and organisations will have to gain consent from registered users and visitors to their websites to store information using cookies on users’ computers and to retrieve it.
The new legislation classifies different types of cookies. Some, such as those used for online banking and purchasing, are classified as 'necessary for the provision of service'. This means that organisations may continue to use them, but they have to explain to consumers why they’re using them. There are a number of ways of obtaining consent for these sorts of cookies. You could add them to the terms and conditions, if you’re offering an online banking service.
Third-party cookies are another matter. These are useful to the organisation using them but are particularly intrusive form the consumer’s point of view. Typically, organisations use them to track the user’s movements on its websites and external ones and deliver advertisements based on this journey, also known as online behavioural advertising (OBA). The new law will require organisations to get consent for such cookies and make people fully aware of how the cookie will work, in plain, simple terms that they can understand.
This new legislation provides marketers with the ideal opportunity to clear up confusion and paranoia among consumers over what they see as private sector surveillance. By explaining to consumers exactly how cookies are going to work you’re entering into a much more equal relationship, one where there’s a fair and honest exchange between marketer and consumer."
James Milligan is solicitor, legal & public affairs adviser at the Direct Marketing Association.