It’s been a year since the EU first announced new regulations regarding eprivacy and the way in which cookie data is used. But are brands ready for the new rules now that they’re about to come into play? Claire Weekes reports
The subject of internet privacy has been at the top of the news agenda these past few weeks. Making headlines has been the backlash over plans to extend government powers to monitor email exchanges and website visits. But there is an equally important – if less sensationalist – eprivacy debate raging, and one that has particular implications for marketers. On 26 May, the EU’s eprivacy directive finally comes into play. It will monitor and govern the way in which companies are allowed to track and store data from webpage visitors in Europe.
When the directive was first announced last April, there was a flurry of conversation around what the changes would mean in practical terms, and concerns over potential grey areas. The new rules appeared to allow brands to interpret for themselves what is considered responsible tracking – which rather than appease marketers – simply caused frustration and worries about ambiguity. But after this initial period of hype about what the new rules would mean, talk died down. So 12 months on, has all confusion been ironed out and are brands ready for the change?
Directive – what directive?
The Information Commissioner’s Office (ICO), who will enforce the legislation and issue any necessary sanctions, has allowed website owners a year-long grace period in order to become compliant with the new directive.
However, even with 12 months in which to take action, the majority have failed to do anything to prepare for 26 May. Research carried out in March 2012 by website Ezine Articles found that of 17,904 audited UK sites, just 53 were found to be compliant.
Mike Carter, co-founder of website builder Ixis warns ignoring the implications could be foolish. “A penalty fine of up to £500,000 [the maximum fine that can be imposed for breaching the new rules] could put companies out of business or at least seriously damage reputation,” he says.
Perhaps most brands are losing sight as to why the directive has been issued in the first place. But the EU does have a very real reason for implementing it. The EU states that 70 per cent of Europeans are concerned that their personal data may be misused by businesses in some way, and in addition, 72 per cent of internet users are worried they give away too much personal data.
“The EU also [believes] that existing data protection provision needs updating, emphasising there are differences in the way each member state implements the law. This has lead to ‘inconsistencies, which create complexity, legal uncertainty and administrative costs’ and ‘affects the trust and confidence of individuals and the competitiveness of the EU economy’,” says Steph Barber, head of law at solicitors Law Hound.
So then, what exactly is it that brands must do to be compliant with the new regulations?
It literally boils down to is ensuring visitors to your website have an informed choice as to whether or not they accept a website’s cookies onto their device. “Businesses must figure out how to move from the old ‘notice and opt out’ regime to the new ‘notice and affirmative opt-in’ model,” explains Dennis Dayman, chief privacy officer at Eloqua. Dayman continues, “There are still some grey areas and questions surrounding the directive, and the confusion has created some of the most compelling questions about the future of cookies in years.
“A question I am hearing again and again, and is particularly pertinent for B2B marketers, is ‘does the regulation affect all tracking mechanisms such as email opens and clicks?’ “We haven’t heard anything official on this, but the consensus in the industry is that this directive would not require affirmative opt-in for just email tracking. It would only be applicable to web tracking. Up to this point, the authorities’ focus on cookies has been very much from a browser-based tracking perspective.”
Clearing up the confusion
The majority of the confusion surrounding the new legislation seems to centre not around what it actually is, but around how it should be interpreted and how it can be enforced. The ICO produced revised guidelines in December 2011 and has also promised to issue further guidelines ahead of 26 May. But this doesn’t appear to have done enough to quell confusion.
“The [current] guidance stops short of explaining when it will be appropriate to use each of the different approaches. This means that organisations are having to take a view on what is appropriate for their websites and the cookies they use,” says Martin Sloan, an associate at Brodies Solicitors. “At the same time, the various European data protection regulators have also rejected an industry proposal for controlling online behavioural advertising cookies on the basis that there is a presumption of opt-in unless users opt-out through a central website,” he adds.
This confusion was compounded further in early April when the Government Digital Service (GDS – the central government team tasked with transforming government digital services) issued detailed guidance on its policy.
“The GDS guidance, while arguably more pragmatic, appears to be at odds with some sections of the guidance issued by the ICO,” says Sloan. “As yet, the ICO is still to comment on the GDS guidance, but an endorsement of the GDS approach would provide organisations in both the public and private sectors with a great deal of comfort, as it would provide clearer guidance on some of the problematic issues.”
Forward-thinking brands
While it seems the ICO still needs to get its act together, various trade bodies such as the IAB and European Advertising Standards Association are at least stepping up to give industry advice on how brands can best establish a method of transparency when it comes to communicating to customers how and when it uses their data. “For now, the smartest move for any brand is to ensure its agencies and networks are part of the IAB EU’s self-regulatory programme and are using the AdChoices Icon for customer transparency and control,” advises CEO of Evidon, Scott Meyer.
Some brands, which have already prepared themselves, can also be held up as examples of what the future might look like. “We’ve been looking at some UK Government sites to see how they are implementing their own rules,” says Carter.
He adds, “Gov.uk includes a ‘beta warning’ model pop-up, including the message ‘N.B. This site uses cookies’ and closing the page sets a cookie so you don’t see it again. Also, the Cookie Control widget from Edinburgh based CivicUK is an effective answer to the requirements, where the user interface provides a simple pop-up in the bottom corner of a visitor’s web browser with minimal options to complicate things. This widget can be added to any site relatively easily.”
Despite these few examples of best practice, however, and the fact that brands have had a year to start complying with the new rules, it seems they still have much to do – both in terms of ensuring they’re compliant with the new law, and knowing precisely what they’re meant to be complying with.
Ten tips to adhering to cookie guidelines: Key steps to ensuring compliance by the DMA
1. Engage key stakeholders. Identify key stakeholders and keep them informed throughout. The key to implementing a compliant solution will be your IT team/web managers, but don’t forget other impacted teams and aim for a joined-up approach.
2. Check what types of cookies you use. Audit your cookies (not forgetting equivalent technologies). Identify all your websites and other places where cookies might be used (e.g. mobile apps). Many third parties now provide cookie audit services (as well as end-to-end solutions).
3. Assess the intrusiveness of your cookies. Assess your cookies against an ‘intrusiveness scale’, either your own or an industry standards such as The International Chamber of Commerce’s (ICC’s) and categorise each cookie on, for example, performance, functionality and targeting. Which of your cookies are strictly necessary? This is also a good opportunity to identify any cookies that are no longer required.
4. Decide how you will obtain consent. Will it be via (for example) pop-up boxes, splash pages, landing pages, homepage headers, banners, scrolling text, implied consent, tick boxes or terms and conditions?
5. Develop and test your solution(s). These requirements are new for everyone so make no assumptions. Before you launch, be sure to test the end-to-end user experience. Don’t forget to include an assessment of the language you have used – it is user friendly? Once you go live, keep alert for user feedback.
6. Update your cookie policy and other relevant content. Alongside your consent mechanism, you will need to provide access to content that will explain what cookies/equivalent technologies are in use, what they are doing and how users can both provide and withdraw consent. If appropriate, use industry defined language or descriptions such as the ICC’s.
Keep the profile of your website users in mind when updating your policy. If your changes are ‘work-in-progress’, consider updating your existing cookie policies to tell your customers that you are getting ready.
7. Communicate with third parties. Think about your relevant third party relationships. Are any third parties running websites on your behalf, placing cookies on your behalf or broadcasting emails on your behalf? What changes are they making in order to comply? Do you need additional contractual terms in place?
8. Ensure relevant staff are fully aware. It’s essential that any staff who might be asked questions about your solution are fully briefed. This could include, for example, technical help desk teams, public relations teams and call centre staff.
9. Define a maintenance/control process. Remember 26 May is the start, not the end date. It is essential that you keep effective control of your organisation’s use of cookies to ensure ongoing compliance.
10. Talk with and learn from others. One of the best ways to discuss the implications of the new directive and practical measures to take is with peers and other organisations.
In addition, B2B Marketing’s Eprivacy Best Practice Guide provides practical guidance to help marketers stay on the right side of the law.
