2. Overview
The Revised E-Privacy Directive aka the “Cookie Law” is due to be
enforced from the 26th May 2012.
The synopsis is that if you are tracking users and capturing data on
them, you MUST ask them for consent or you cannot track them. Most
tracking is achieved via browser “cookies” (simple text files containing
data).
The only exceptions are for cookies which are “strictly necessary” and
without which websites won’t work properly:
Framework session cookies (EG a PHP session cookie)
Shopping cart cookies (can’t have the cart forgetting what you tried to
buy)
Analytics cookies are not included in the “strictly necessary” definition.
3. The upshot
1. Companies are going to have to conduct a cookie audit to identify what
their website is actually doing and then implement a solution to ask users
for permission to any cookies that the company deems necessary.
2. Companies that choose to be fully compliant are going to lose a massive
percentage of their analytics data as a large percentage of users will not
consent to tracking. The Information Commissioners Office (UK regulatory
body) revealed a 90% drop in analytics stats when they implemented a
consent solution.
4. Reading between the lines
The ICO has said that it's looking for “positive steps” when it comes to any
enforcement policy and we should expect them to be helpful rather than
adversarial in the first few months of enforcement. With this in mind, some
companies are choosing to meet a minimum level of compliance now, with a
view to re-assessing the lay of the land later on once a consensus on best
practice has been reached by the early adopters.
There are also grumblings that although the ICO are laying down the law the
government hasn’t yet really had its say, instead commented on the need for
browser vendors to provide a solution.
http://bit.ly/H9ZjxL
Basically, the implementation of the law is a mess and should we sit tight and
see what happens?
5. Reading between the lines
With this in mind and the fact that enforcement is pretty unlikely to happen
immediately, the following approaches have all been mooted as perfectly
valid, depending on the companies sensitivity to adverse PR if any sort of
story were to arise.
Baby steps: Do a cookie audit and update the privacy policy with friendly
information about the cookies being used. (Not compliant, but a “positive step”)
The fifty per cent: Remove all cookies except for analytics, adopt clear iconography
advising which remaining cookies are used and link to an updated privacy policy. (Not
compliant, but arguable – and many companies will be arguing!)
Full compliance: Cookie audit, updated iconography / privacy policy and a solution
that tests for user consent for cookies that are not strictly necessary
The end decision is definitely a “personal” one, based on the ethos of the company
involved and their attitude to risk. (And their users)
6. Reading between the lines
On top of all this, and rather intriguingly, the ICO has left a small door open
on analytics cookies (through which everyone is stampeding).
“Provided clear information is given about their activities we are
highly unlikely to prioritise first party cookies used only for analytical
purposes in any consideration of regulatory action.”
IE – “They are still illegal, but we’re unlikely to come down on you for them”
http://bit.ly/HAhBIq
8. “Strictly Necessary”
The directive contains 2 concepts:
Strictly necessary
Cookies without which websites cannot operate. EG shopping carts can reasonably be
expected by the user to remember previous items the user has selected to purchase.
Without remembering this, the cart is useless and the user journey fails.
Informed consent
For all other purposes – you have to ask the user whether they are OK with you
tracking them for this purpose.
Strictly Necessary Informed Consent
Load balancing Analytics
PHP Session Advertising networks
Shopping basket User preferences EG “Welcome back John”
9. 1st party vs 3rd party
The type of cookie being set also impacts on this, especially those cookies
placed by sites other than the one the users is browsing.
1st party cookies are cookies set by YOUR website
3rd party cookies are set by other sites (EG Google Adwords) to track
users as they browse from site to site. These are typically advertising
cookies.
1st Party 3rd Party
Strictly Necessary No consent required n/a
Consent required Consent granted once, can Have to ask for consent
keep the setting stored each time a user visits the
indefinitely site
10. Compliance step 1
Audit the cookies the site is currently setting and establish which are 1st and
3rd party along with what fits the description of strictly necessary.
11. Compliance step 2
Update your privacy policy to contain clear information on what cookies you
would like to set, what they do and where the information goes.
• Some sites have created
whole “cookie” related
sections, rather than
putting everything into
the existing privacy policy.
• The ICO are keen that
the wording is in plain
English, as the whole
idea of the law is help
users make an informed
choice about their privacy.
12. Compliance step 3
Implement a system to get consent from the users:
It should link to the information on your site about cookies and
explanations of what you do with the data
It should have a method of asking users for their consent for you to track
them.
Importantly it also needs to be:
Obvious and friendly enough to encourage as good a click rate as possible
Intelligent with regard to 1st and 3rd party cookies
13. Compliance workflow
User Arrives
Repeat visitor Strictly
New user or
with consent Necessary
no consent
cookie present cookies set
3rd party
cookies need
setting
Consent solution
presented on page
load At this point it’s not
clear whether the best
solution is to “nag”
the user on every
1st and 3rd party page. The problem is
User
cookies set as User
declines or
that to avoid doing
appropriate along with accepts so… you need to set a
ignores
“consent” cookie
cookie!
14. Solutions:
Status Bar - Top Status Bar - Bottom
Pros – Imposing and in the eyeline but not Pros – Not obstructive, the user can
obstructive, the user can continue to continue to browse, still very obvious
browse.
Cons: - Can be ignored, not in the eyeline
Cons: - Can be ignored on taller pages unless it floats over content.
15. Solutions:
Modal Overlay Gutter Widget
Pros – Very imposing, user cannot pass Pros – Can be nicely designed, floats to
without making a choice remain in users eyeline, 3rd party script
already exists
Cons: - Very obstructive, might lead to
higher bounce rate from the site Cons: - Too easy to ignore, overlays content
on smaller screens, not much use for
mobile.
16. Server-side analytics
Rather than relying on cookies and javascript, you let the webserver itself gather data on
the user from the PHP process or server logs. This could also be against the law although
there appears to be some confusion on this matter still.
Pros
Some form of analytics can be kept live to inform business decisions
Cons
The available solutions are not as advanced, they don’t track nearly so much data or
enable you to have advanced functions such as funnels or goals and you can’t track
repeat users.
Has a cost implication for implementation, even if the solution itself is open-source.
Adds extra load to the webserver
Cannot be installed on some hosting environments
17. Sampling via Google Analytics
Even if there is a 90% drop, the remaining 10% is still a representative sample of
your user base.
Statistics for the whole can be inferred from this sample.
It is not clear though whether this 10% would be “engaged” with your company
already – IE whether the sample is skewed.
18. A/B Testing
There is currently very little / no public data on the effects of the various
types of solution on user interactions with websites. There is certainly no best
practice as yet and there are various organisations competing to try and come
up with a standard.
Eventually a standard will emerge, or the issue will be solved by the browser
vendors (Which is the argument for the “reading between the lines” approach
to compliance in slide 4).
In the meantime the very best approach would be to test the implementations
against each other and gather hard data on which works best for the users of
YOUR site.
A/B testing is cheap to conduct, but the cost will include having to develop at
least 2 compliance solutions initially.
19. Final Consideration
Whatever your company decides to do, comms teams should be aware of the
company policy, especially if non-compliance is followed, as there could be
incoming traffic on this subject.
20. Further reading
Latest state of play:
http://econsultancy.com/uk/blog/9453-econsultancy-s-solution-to-eu-e-
privacy-directive-compliance
http://www.cookielaw.org/blog.aspx
http://blog.silktide.com/
Implementation examples
http://db.tt/yYc182rv (PowerPoint Deck)
http://bt.com (Go to bottom right corner and click on “Cookies”)