On 26th May, new laws come into force governing the way websites
use cookies to track user behaviour. The new EU privacy directive, dubbed the cookie law, was adopted last May
by the UK government with website owners given a year’s grace to
become compliant.
With the aim of protecting the privacy of internet users, the
Directive requires websites to obtain permission from users
before certain types of cookies-small files that store
information about an individual’s online session-are used.
Companies that do not comply could face fines of up to
£500,000.
“The cookie laws have created a confusing situation for all
website owners. There are pages and pages trying to interpret
what needs to be done to be compliant-and as yet no clear
answer,” says Chloe Thomas, who runs online marketing
agency IndiumOnline. “The key point of the UK version is
that you need ‘prior consent’ in order to drop ‘nonessential’
cookies on users. Prior consent is easy to understand, but hard
to implement,” she adds.
Essential cookies are defined as those necessary for a service,
for example, to remember the contents of a user’s basket as he
navigates an online shop, and are therefore exempt. “The
offending cookies are those that study the customer’s profile and
behaviour, are applied to personalise a website or serve relevant
third-party adverts,” explains Kevin Galway of digital
marketing agency BSS Digital. In order to continue using
nonessential cookies, website owners must unambiguously obtain
consent from users; for example, by updating privacy policies or
using pop-ups during a visitor’s session. Even businesses that
don’t use sophisticated behavourial targeting tools need to
comply, as Galway warns, “if your site uses Google
Analytics, then you are impacted by this law.”
Taking the biscuit
Some retailers welcome the “fuzzy nature” of the new
regulations. Rob Silsbury, eCommerce director UK and Europe at
Tiffany & Co, says that while complying fully with the new
regulation, “we are looking at the lack of defined
boundaries as a positive, giving us some freedom to ensure that
the impact on our business and the customer experience is
minimal”. For him, the big question is what constitutes
“consent” and how to deal with those who don’t give
it. “The issue of whether ‘consent’ needs to involve a
click is the biggest focus and we will be preparing a couple of
approaches based on two very different views of the
answer.”
At another business that spoke to Direct Commerce on
condition of anonymity, the year’s grace helped focus the
eCommerce team. Its head of multichannel retail says, “We
have run internal audits to understand the totality of the
cookies we collect, we considered how best to address the
requirement of informed consent, and in particular we paid
careful attention to what the ICO was saying and what some of the
larger brands were doing.”
For the main part, he is taking a wait-and-see approach,
“We noted that the ICO was really only going to act in
cases of widespread complaint, or where cookies were being
collected for nefarious purposes. As we are unlikely to trigger
either of those elements, we will not be actively asking for
informed consent.” This isn’t a complete flouting of the
law, he hastened to add, “We recognise we could do more to
explain to customers about the information we gather on them, and
we will be progressively updating our privacy policies over the
next three to six months to be more open”.
An eCommerce manager at a leading fashion brand told Direct
Commerce he had no plans to implement an “opt-in
pop-up, roll-down or otherwise”. But what he has done is
make the site’s cookie policy robust, listing exactly what
cookies it uses and how. His plan, he says, is to wait for as
long as possible before having to implement drastic changes. He
will make his move “once the cookie question becomes
non-threatening”-the same strategy he used when complying
with 3D Secure, he adds.
“It’s tempting to see this as another PCI DSS or 3D Secure.
But it’s worse,” says Chloe Thomas. “At least with
them it was black and white what needed to be done to be
compliant. The penalties for not being compliant with the cookie
law are big, but the ICO doesn’t have the resources to prosecute
lots of companies.”
So what should you do to ensure you meet the deadline? In the
first instance, says BSS’s Galway, all retailers should read the
ICO’s guidelines. “Then find out what type of cookies your
site has and determine the optimum solution to obtain consent
from visitors. There will be a fine balance between the desire to
collect as much information as possible on visitors and not
deterring them away from your site, but retailers must address
this challenge now before it’s too late.”
Share