EU Cookie Law – ecommerce sites selling to UK need to do something now

Site owners in the UK have had several years to get to grips with implementing the EU Tracking directive. The period of grace ended on May 26th 2012 and so UK ecommerce sites have no excuse for not complying with our version of the EU ‘Cookie Law’.

But what do you really need to do? There was a lot of fear, Uncertainty and Doubt back in 2012. The sneers of “they cannot be serious” were joined by complaints that “it will set back the economy”.

By 2014 the situation was becoming clear, so I recommend you skip to the key updates in the resources section below. To skip straight to the updates, click here: [Updated: June 2014 with a link to a great summary of what’s actually been done in the way of enforcement].

I had already sent out my own thoughts on the subject to my email list months before writing this original blog post in 2012. So I wasn’t going to add yet more to the public debate by writing a blog post. But… I’m a great believer in using Google Analytics Site Search Reports as a way of finding out what people want. And those reports show that people were coming to this site looking for information about the EU cookie law.

So here goes.

What you need to do now

1. Do an audit of your site and document what you’re tracking, how and why
2. Update your privacy policy to include the information

Taking these first steps towards obeying the law ought to be sufficient to reduce the chances of a fine.

But you shouldn’t stop right there. That would be particularly irresponsible if you’re a prominent site which is more likely to attract the attention of someone who wants to complain to the ICO either out of malice or simply to provoke a test case.

Because:

Strictly speaking, the law requires you to have an opt-in consent system live on the site. Now.

So:

3. You should also be able to at least show that you’re working on your solution to the requirement to ask all visitors to your site to actively give consent for you to use cookies or any similar tracking systems. [Update: when Dan Barker’s 2014 post you will see how this aspect of ‘doing something’ has a real impact on the attitude taken by the ICO]

EU Cookie Law Opt-in Systems

The general opinion in most of the discussion on the subject I have seen is that sites will be able to get away with breaking the consent aspect of the law for a bit longer, provided that they can show they have started to comply by documenting the audit and updating their privacy policy.

This opinion is based on a series of reasonable assumptions:

• That the law is intended to target sites which are using tracking in suspicious or devious ways, not sites which are using the standard analytics and marketing systems
• That the ICO does not have a huge team to police this and start actively checking every site

The opinion is supported by things like this guide to implementing the law on public sector websites issued by the UK Government Digital Service:

http://alphagov.files.wordpress.com/2012/03/gds-cookies-implementer-guide.pdf [Opens in new tab]

At the moment there are very few examples to look at out in the wild. You can bet that some more will appear on the day itself on big-name sites such as BBC, Amazon, Tesco, ASOS etc. If I remember correctly Argos went live with one when the law took effect last year, but removed it within hours as soon as the period of grace was announced.

The best example I have seen so far is the one on part of the BT site:

And here’s a video of it in action:

You can visit the site to see it for yourself here:
http://www.productsandservices.bt.com/ [Opens in new tab]

This is particularly good for these reasons

• It’s a prominent overlay which appears when someone lands on the site.
  • But because this position is also widely used for things like survey invitation and “you may also like” promotions, the notice may be affected by a convenient form of ‘banner blindness’
  • People may be more likely to ignore it and assume that whatever the site is trying to get them to do will go away. Which it does.
  • Then viewing any more pages after this one will be taken as having opted-in. (Probably not 100% compliant, but that would be a fight which would make the lawyers rich.)
• The language used makes accepting the default opt-in the most simple choice.
  • Using phrases such as “if you would like” and “change your settings” subtly conveys the idea that this would be something extra to do
  • So the tempting thing to do take the easy option and do nothing

These factors combine to keep the disruption to the visitors experience to a minimum and make it most likely that the site can carry on tracking just as before.

The BT example is worth examining further. The interface they’ve provided for managing the cookie settings is extremely good and is also designed to reduce the risk of a visitor insisting that nothing is stored.

• The language does not use technical jargon: ‘cookies’ are mentioned with a link to another resource, not a wordy explanation
• The copy describes the tracking in terms of benefits to the visitor
• The sliding control shows which ‘benefits’ have been lost as the tracking is reduced which might encourage people to turn them back on

That’s impressive. The interface avoids a simple ‘yes’ or ‘no’ choice and pulls of something much more complex which may still allow them to record some valuable data. Visitors choose between the levels of ‘intrusiveness’ specified in the guidance on the directive, in a way which does not use complex language and encourages people to turn off less of the tracking.

Plenty of other solutions will appear as models during the next few months.

The need may also only be relatively short-lived. The browser developers will introduce functions for this kind of thing in due course since concerns about tracking are international.

But there will be a considerable gap before a universal solution such as that appears.

So you do need to do something now.

EU Cookie Law Resources

Official Guidance

The ICO’s Official Guide [.pdf Download]

Updates and Discussions

• [Update October 2014] A couple of years on from the start of enforcement, Dan Barker published an excellent summary of the impact of the cookie in the UK in 2014 [opens in new window]. If you’re concerned about what you need to keep out of trouble, Dan’s article contains all you need to know. The comments are also informed and informative.
  Meanwhile Heather Burns specialises in writing and talking about the subject and has a whole category of posts about the EU Cookie Law [Opens in new tab].
• [Update June 2012] The latest and best summary of the current situation, I believe, is this article from Brian Clifton: http://www.advanced-web-metrics.com/blog/2012/06/11/google-analytics-and-the-new-eu-privacy-law-3/ [Opens in new tab].
  In particular the article makes very clear the difference between anonymous plain web analytics systems, such as Google Analytics, which use first-party cookies and the more complex situation which applies when advertising systems and social functions are involved and use third-cookies. Such systems are widespread on many ecommerce sites these days. Doubleclick is one common example. AddThis, Sharethis and Liveperson Chat are also cited by Brian. YouTube is yet another. The article is a vital read.
• [Update May 2012] Important: Just before May 26th the ICO updated their guidance to clarify that ‘implied consent’ is an option. Read their announcement and download the official guidance here: http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx [Opens in new tab]
  As soon as the deadline passed, we started to see some useful examples of cookie law implementations. Smart Insights have a good round-up and on-going discussion here: http://www.smartinsights.com/marketplace-analysis/digital-marketing-laws/how-are-companies-complying-with-the-new-cookie-law/ [Opens in new tab]
  And what about mobiles?? Econsultancy discuss the usability train-wreck which is getting consent on a phone-sized screen here: http://econsultancy.com/uk/blog/9773-how-will-the-eu-cookie-law-affect-mobile-marketing [Opens in new tab]
  Meanwhile Smart Insights address the subject of email here: http://www.smartinsights.com/marketplace-analysis/digital-marketing-laws/the-cookie-law-email-marketing-and-open-tracking/ [Opens in new tab]
• [Update April 2012] There’s an extremely interesting discussion in the comments thread on this post from the Government Digital Service: http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ [Opens in new tab]
  And this article in The Register includes valuable responses from the ICO to specific questions about analytics tracking: http://www.theregister.co.uk/2012/04/05/eprivacy_directive_web_analytics/ [Opens in new tab]
  Dave Evans from the ICO gives very helpful answers to specific questions in this Econsultancy interview: http://econsultancy.com/uk/blog/9610-q-a-the-ico-s-dave-evans-on-eu-cookie-law-compliance [Opens in new tabs]
• Brian Clifton has published several thoughtful and authoritative items about the EU Privacy Law. The latest and most important article is the one posted in June 2011, after the UK period of grace had come to an end and taking into account the last-minute clarifications from the ICO: http://www.advanced-web-metrics.com/blog/2012/06/11/google-analytics-and-the-new-eu-privacy-law-3/ [Opens in new tab]
  10 Point Best Practice Guide for Working with Google Analytics [Opens in new tab]
  Original post and very informative discussion thread on the the EU privacy law [Opens in new tab]
  Google Analytics and the new EU privacy law #2 [Opens in new tab]
• Econsultancy have published several very good articles on the subject
  What econsultancy are doing themselves. [Opens in new tab]
  http://econsultancy.com/uk/blog/9416-eu-cookie-law-uk-government-crumbles [Opens in new tab]
  Another post from Econsultancy which includes an extensive discussion thread. Phil Pearce has contributed some particularly interesting comments here:
  http://econsultancy.com/uk/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey#blog_comment_88290 [Opens in new tab]
  Econsultancy’s full Guide to Compliance is available for purchase here: http://econsultancy.com/uk/reports/the-eu-cookie-law-a-guide-to-compliance [Opens in new tab] There’s a free sample available for download.
• I particularly like this article by Colin O’Maley on the Association of Online Publisher’s site for the measured and sensible approach. The point about the difference between ‘opt-in’ and ‘consent’ is a very good one. [Update] But be sure to read the latest ICO guidance on this point, linked to above, as the advice on this point was revised just before May 26th. http://www.ukaop.org.uk/news/eu-privacy-directive-consent-opt-in-cookies-evidon3549.html [Opens in a new tab]

Acknowledgements

Although there’s no obvious article for me to link to, it seems wrong to write anything on this subject without crediting some people who have put notable efforts into covering the subject:

• Vicky Brock from Highland Business Research is responsible for the Freedom of Information request which obtained the famous data on the ICO’s 90% drop in recorded visits after they implemented their cookie opt-in. Vicky is also a member of the board of the Digital Analytics Association.
• Phil Pearce has been compiling research and resources on this subject for a long time. He’s maintaining the material he has curated in a Dropbox which he shares with interested parties. You can contact Phil via his Linked-in profile: http://www.linkedin.com/in/philpearce