Cookie Compliance Act: How will it impact behavioural targeting and your business?

8th Apr 2011

With new EU legislation coming into force next month, John D'Arcy of Foviance and James Milligan of the Direct Marketing Association explore the implications of the 'Cookie Compiance Act' and whether it spells the end of behavioural targeting.

You may have noticed the digital world panicking a little in the last month. On May 25th a new piece of EU legislation is coming into force which will limit the way websites collect data about their visitors and will restrict some industries in how they monetise that information. In particular the legislation is focused around website cookies.
Cookies are small snippets of code that sit on your computer and identify you to a particular website or advertising network. Currently cookies are used in a huge variety of ways from remembering what you just put in your shopping basket so that the product is still there when you checkout, through to targeting specific adverts to you based on your previous browsing habits. The new legislation says that website owners should be getting explicit consent from visitors for their data to be collected in this way, used at a later date or even sold on. In effect visitors have to say they are happy for cookies to be dropped on to their computers by websites.
The legislation has its origin in considering how brands and advertisers should be allowed to use data they collect about us consumers as we browse the web. Should brands remember information about the products we browse, news items we read, how we prefer to personalise websites? Should they be able to use that data to sell us other products and services? Should they be able to sell that data to third parties? What is private and how much of our browsing history should remain private?
Behavioural targeting
The EU legislation is not designed to ruin the user experience of surfers, nor to impact businesses with waffly laws. Simply the EU is trying to get the digital world to be on a similar footing to the rest of commerce, advertising and marketing. The direct marketing industry has been coping well with data privacy issues for many decades and the digital industry needs to be able to say in a similar way that it is responsive around individual’s privacy and reactive to their needs with regards to any data collected about them. The impact of the web on our lives has meant we are much more connected than before but consequently those connections mean we are leaving a trail of activity in a huge variety and number of places. It is this paper trail that the legislation is trying to get to grips with. 
The average consumer is happy to have cookies that support their user experience, e.g. remembering that I live in Stoke Newington and providing me with local news and weather. This type of cookie isn’t going to be impacted by the legislation because it can be argued they are required to deliver a specifically requested service. But when cookies are used for behavioural targeting it can be a bit more off-putting for the average person and this is where the legislation will really affect our industry.
Recently I’ve been ‘stalked’ by Clarkes and John Lewis adverts wherever I have been on the internet. This is because when visiting their site some weeks ago they dropped a cookie on my computer and shared that data with a third party advertising network. The network now uses that information to recognise me and fires me adverts for the same products I looked at last month. If these type of cookies are not going to be used it could mean the death of some new digital industries that were expected to drive the development of online advertising. Could this be the end for whole industries such as re-targeting, behavioural targeting or multivariate testing?
How did the legislation develop?
During the last 12 months a number of industry insiders have been working with the government to help define how the legislation should be implemented. The government has stated that not all cookies will be subject to the legislation. If they were then it would mean that we would need to be served with a pop-up window asking for cookie consent nearly every time we clicked to a new web page. 
This usability nightmare scenario was squashed by the government but with a rather broad statement that the legislation does not apply to cookies that are ‘strictly necessary’ to provide an explicitly requested service. This generated a lot of argument that have not yet been satisfactory resolved debating if automatic settings in your browser would be enough or if sites whose existence that depended solely on advertising could be exempt.
What next?
The upshot is a rather sensible wait-and-see policy from the UK government. They have been working with advertising bodies like the IAB, EASE, ASA to review current uses of cookies and support moves by industries such as behavioural targeting to educate consumers and move to an industry standard for behavioural ads. By 2012 expect to see a small icon in any behavioural ad to show that it has used cookie data to target you.
But with the legislation coming into effect in a month what should you do next? Large brands need to get an idea of how pervasive cookies are on their sites and also how third parties which may be advertising on their site are collecting data and subsequently using it. If your advertising or media agencies aren’t able to give a confident response on how they are proposing to react to the legislation then it is probably time to look for another agency.
Since the autumn of 2010 at Foviance we have been researching what impact this legislation is going to have on brands and also how consumer attitudes to data privacy are likely to develop in the next few years. With the legislation in mind we developed a tool that grabs cookies from a website visit, analysing the type of data being collected by the cookie and rating this data in relation to how likely the legislation will impact it. 
It has been fascinating and eye-opening to see the huge number of cookies that a typical website uses and the wide array of uses of these cookies. Using this approach we’ve been able to help our clients understand how the new law is likely to impact them across different types of cookies they use such as advertising, functionality and social media. I think it is fair to say that the impact of the legislation on large brands is going to be huge.
What about consumers? Most people think the internet is free and don’t understand that website owners need to generate revenue to support the delivery of content. Consumers also need to be educated in how data is collected, otherwise distrust will set in and people will never be happy to share their data. If that happens then slowly the amount of data and quality of that data that is collected through cookie technology will decrease dramatically. So, time for the digital industry to proactively engage and lead in the privacy debate.
John D'Arcy is practice director for analytics & insight at Foviance, a cross-channel customer experience consultancy to the world's leading brands. John has helped clients measure and optimise their marketing communications for over 15 years and is an authority on web analytics, data visualisation and statistical modelling. For information on Foviance's Cookie Compliant Audit click here.

Another view on the EU Cookie Act

"Most businesses and organisations use cookies for a variety of reasons, to analyse consumer browsing habits and remember a user’s payment details, for instance. The new EU cookies law, which comes into force on 25 May 2011, will have a far-reaching effect on how and when cookies are used. And, the Information Commissioner Christopher Graham has issued a stern warning to UK businesses to wake up to the new legislation or face the consequences.
So, what exactly are these new rules and what do they mean? The EU’s revised Privacy and Electronic Communications Directive will introduce a general rule of opt-in for the use of cookies, as opposed to the current opt-out provision.
From 25 May, all UK businesses and organisations will have to gain consent from registered users and visitors to their websites to store information using cookies on users’ computers and to retrieve it.
The new legislation classifies different types of cookies. Some, such as those used for online banking and purchasing, are classified as 'necessary for the provision of service'. This means that organisations may continue to use them, but they have to explain to consumers why they’re using them. There are a number of ways of obtaining consent for these sorts of cookies. You could add them to the terms and conditions, if you’re offering an online banking service.
Third-party cookies are another matter. These are useful to the organisation using them but are particularly intrusive form the consumer’s point of view. Typically, organisations use them to track the user’s movements on its websites and external ones and deliver advertisements based on this journey, also known as online behavioural advertising (OBA). The new law will require organisations to get consent for such cookies and make people fully aware of how the cookie will work, in plain, simple terms that they can understand.
What should UK businesses be doing in preparation? A good starting point is to conduct an audit of all cookies to identify the different types and to remove any obsolete ones. Then you can start thinking about whether you are going to use terms and conditions of purchase or a privacy policy to obtain consent and whether it’s permissible. For example, you may need express consent for the use of cookies if you’re collecting sensitive personal data.
This new legislation provides marketers with the ideal opportunity to clear up confusion and paranoia among consumers over what they see as private sector surveillance. By explaining to consumers exactly how cookies are going to work you’re entering into a much more equal relationship, one where there’s a fair and honest exchange between marketer and consumer."
James Milligan is solicitor, legal & public affairs adviser at the Direct Marketing Association.

Replies (2)

Please login or register to join the discussion.

By Charles Nicholls
11th Apr 2011 12:09

Two points to note:
(1) No country level legislation has yet been passed
While the EU law comes into effect on May 25th, each European country has yet to pass laws governing their jurisdictions, so it's pretty hard to comply with this at this point.  Equally, it is highly likely that different countries interpret the EU law differently, meaning that websites hosted in different EU countries will be subject to different variations of the umbrella EU law.

(2) Explicit (Opt-In) consent is required
The price by James Milligan suggests that compliance may be achieved, potentially, through privacy policy, or though terms and conditions. This is a bit misleading in my view and suggests that simple changes to a websites privacy policy might be sufficient. I do not believe this is correct.

The EU law states:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”

This is pretty clear cut Opt-In, so in order to comply, a website will need to get proactive consent to store data on the visitors machine, except for those tasks ‘necessary for the provision of service.’ In practice this means that a user will have to tick a box to consent to the terms of business / privacy policy before the data is stored as a cookie on their machine.

James – could you clarify?

Thanks (0)
By User deleted
11th Apr 2011 16:46

Thanks for your comment Charles, and yes, I welcome the opportunity to clear up the two points you raised. Let me start by saying I entirely agree with your first point: “No country level legislation has yet been passed”.


However, following the Information Commissioner’s speech at the ICO Data Protection Officers Conference in Manchester last month, I was trying to list some practical steps which can be taken now in advance of the implementation of the Directive in each of the 27 Member States.


I’d also like to take this opportunity to clarify the other point you raised: “explicit opt-in consent is required”.

 Consent is defined in the 1995 Data Protection Directive in Article 2 (h) as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement”. 

Ticking an opt-out box is one option of signifying consent but, equally, signing up to a privacy policy or terms and conditions with appropriate wording above a “submit/register now” button will also meet the above definition of consent.

An example of such wording would be


“Click here to view the privacy policy/ terms and conditions. By clicking the submit / register now button below you are agreeing to accept the privacy policy/ terms and conditions 

Submit/ register now button.”


Of course the privacy policy/terms and conditions would have to be written in clear language and the section dealing with cookies easily found.


The key point is that there must be a positive action on the part of the user and the user must have been told about the consequences of the action before s/he clicks the “submit/register now” button.



James Milligan


Thanks (0)