The final countdown: Four tips to comply with the EU cookie law in time

I recently blogged about a critical and yet bizarrely under-estimated challenge that all businesses in the EU (especially in GB) are set to face in May 2012 which seems to be on precious few of our clients corporate agendas.

The ‘challenge’ is the latest iteration of the EU Directive on Privacy and Electronic Communications - known simplistically as the ‘cookies law’ due to its focus on the use of cookies - and needing compliance by the May 26th 2012 deadline. Not only do very few businesses have compliance plans in place, some are even unaware of the requirements as laid down in this Directive and subsequently turned into law in the UK in 2011. So let’s begin by outlining what the Directive means.

I’m not a legal expert (and please don’t take any of this as approved legal advice!) but at the heart the new EU Directive is a philosophy that requires brands to be open and transparent with consumer data. The Directive covers the use of cookies and similar technologies for storing consumer information and requires a switch to active consent for cookie use before the data can be utilised by a brand. The original Directive from 2003 was amended in 2009 to require consent for storage or access to information stored - via a cookie - on a subscribers PC. The UK Government introduced the amendment into law on 25th May 2011 and gave businesses ONE YEAR to comply.

In essence the rules are designed to protect the privacy of internet users (even if it’s not personally identifiable) and to stop information being stored on a person’s computer and subsequently recognising them without their knowledge and agreement. The reasoning is that consumers are unaware of what ‘cookies’ are and therefore businesses should be more open in how they use them. The Government asked PWC to conduct an online study of 1,000 individuals and found that only 13% of respondents indicated that they fully understand how cookies work, while 37% said they did not know how to manage cookies on their computer.

So, to the requirements… they are basically two-fold: 

In reality brands should have been providing clear information about the use of cookies since the introduction of the orginal ePrivacy Directive in 2003, but it is the consent piece that is new in this latest iteration. Unlike in 2003 when it was acceptable to offer choice in the form of an opt-out to cookie use, in the 2011 amendments, although the word ‘prior’ consent isn’t used, opt-in is how many are reading it and subsequently planning their solutions.

The issue of course is that many websites drop a cookie as soon as a user arrives on a site as part of the normal operation of the site and it is difficult to see a good argument to achieving consent after the activity the agreement is needed for has already occurred. In practice it is unlikely such use of cookies will need to be stopped – businesses will just need to investigate ways to ensure that all non-essential cookies are delayed being set until the user has had the chance to provide their consent – if at all possible.

It’s also worth noting that although the Directive is aimed at both key types of cookies – session cookies and persistent cookies – it is the persistent cookies (the ones that remain on a user’s computer after a session has ended and remember the user when their return) that can be deemed more intrusive than the one-off use ‘session’ cookies (the ones that remain for the duration of that individual session only and are then deleted).

Persistent cookies will get most scrutiny when it comes to compliance. Brands should make it a priority to know what sorts of cookies they are using and also if they are ‘first-party’ (set by the website owner) or third-party (set by a domain other than the one being visited, for example cookies used for web analytics). So gaining a good understanding of the sort of cookies you use will be necessary so you can ascertain if you need to make any potential system changes vs. just being more transparent on use when it comes to consent acquisition and compliance.

As if it isn’t complex enough, there is likely to be an exception to the need to gain consent for cookie use, but this is only where the use of the cookie is deemed as ‘strictly necessary’ for the operation of the site or the carrying of a communication transmission. For example, the use of a cookie to remember the basket contents (or ‘Favourites’) for an online shop will likely be classed as ‘strictly necessary’ with regard to the law.

What also doesn’t help brands interpret the Directive and UK law is that the two major Governmental bodies involved in providing advice on next steps - the Information Commissioners Office (ICO) and the Department for Culture, Media and Sport (DMCS) – differ in the their stance, further muddying already grey waters. Where the ICO’s advice is that the law is “fair and correct”, exceptions will be narrowly defined and strict implementation is only being delayed; the DCMS’s view seems to be that implementation of the law will be difficult and that the Government should in fact pursue a ‘business friendly, light touch’ approach to regulation. In all reality, a compromise between the two stances is likely, and brands should plan to be pragmatic in what they do whilst always driving for full and appropriate levels of compliance.

So what do brands need to do next:

The Customer Framework are currently leading a project for one of the world’s biggest CPG organisations, directing and project managing the overall initiative to ensure an appropriate level of compliance is delivered by the end of May and a roadmap to full compliance across all of Europe by the end of 2012. Here is the process we are undertaking:

It hardly needs saying, but this is not a Marketing initiative alone. Marketing are probably the best function to own and lead the project, but make sure a cross-functional working team is established including representatives from Legal, Corporate, PR, IT and any useful third parties such as digital creative agencies. All of these teams will have a role to play in taking the decisions needed and ensuring the required changes are implemented. This team should be responsible for engaging all key stakeholders (internal and external) and planning the roadmap to compliance.

Identify a relevant agency partner or specialist vendor to undertake a detailed audit of your owned assets (websites, mobile sites and social pages/apps) to check what types of cookies or technology are in use and how you use them….and ascertain how intrusive they are. It may be that you can delete certain cookie uses and pull back use of other more ‘intrusive’ cookies. And it will give you the chance to review how you use any intrusive cookies and consider if you want to continue this. The more intrusive your activity, the more priority you should give to getting meaningful consent. It seems unlikely that regulatory action will come about from sensible and clear use of first party cookies (including analytics), so focus here if possible.

As well as undertaking your audit you should be developing your corporate stance and plan of action. Where you feel you need consent, decide what solution is best for your situation to a) explain your cookie use and b) obtain consent. There will be many creative solutions open to brands here. We’d advise that, given levels of cookie understanding are low, take an approach that is open, transparent, descriptive and uses clear language. A great example would be the way the BBC website outlines its use of cookies.

Also consider where you will communicate the cookie consent opportunities….above the web ‘page fold’ would be preferable rather than hiding it at the bottom of the web-page. It’s no longer good enough to think that ‘providing information about cookies’ can be hidden away in your ‘Privacy Statement’ document/link at the bottom of the web-page!

It is likely, as with our major CPG client, that your business operates across multiple markets and runs websites in these markets. So far, it is the UK government that has led Europe with its interpretation of the Directive, and other Governments are waiting to see how this transpires before acting. The Danish, French, German and various Nordic Governments are making moves, but are waiting. So it will be key for businesses to prioritise action in GB and keep a close watch on the rest of Europe to see what actions are necessary.

Do consider at least auditing other markets to ensure you have full transparency on your pan-European cookie use.

In terms of solutions, it is still unclear what will be considered ‘best practice’ in this space. Many organisations (and industry bodies) we have spoken with are either unclear or unwilling to divulge planned direction and stance. It does seem likely, due to the technological constraints involved, that a ‘tick box’ solution to cookie opt-in will prove tricky for many businesses to implement, especially if they do not have the ability to track registered users and log-ins and so tie the opt-in to individuals.

For now, and until new browser solutions are introduced later in 2012 (or even 2013) that will contain more advanced privacy setting options, it seems that most businesses will take a route that very visibly outlines their new approach to cookies, detailing how, where and why cookies are used and then offering an opt-out option to ALL cookies (via the standard browser route). Time will tell, and as solutions develop from brands, we will see what becomes accepted best-practice.

This is a very complex topic, and we have only attempted to provide a very top-line, business (rather that legal!) view on the matter. However, it is critical and action IS NEEDED! May is just around the corner. To use the words of PWC to summarise the challenge to brands: “online businesses will need to evolve their data collection and usage transparency in order to illustrate to consumers the benefits of opting-in”.

Our advice is to think carefully about how you will undertake the changes required and ensure you are even more crystal clear about the value proposition you are offering to consumers through your online experiences. Put together the internal Steering Committee in your company, agree your plan of action to audit your sites, agree your policy and make the changes you need to… BEFORE it’s too late and you end up the first major brand to be dragged through the PR wringer for non-compliance.

Let us know any thoughts on the challenge ahead or if you have any questions. We’d be happy to help.

Nick Broomfield is a director of The Customer Framework. Nick specialises in helping brands engage and build profitable relationships with customers across multiple channels, with a focus on the effective integration of Digital and Precision Marketing strategies. Previously Nick spent 8 years at drinks giant Diageo where he headed the Global Digital Marketing Team.