Our Analytics Executive Dan (who has no social media presence – through choice) went to a high level meeting about the potential cookie laws, I thought it would be interesting to get him to blog on the very complex subject, here are his notes.
“Cookie Law The Privacy and Electronic Communications Regulations 2003 are expected to be adopted into UK law around the end of the month although this may slip.
There is no clarity around what companies should be doing to ensure compliance. Thankfully the Department for Culture, Media and Sport (DCMS) has indicated that they won’t be expecting compliance from companies for at least a year after the regulations are adopted.
Wording of the regulation:
‘Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on the condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing’
There are different interpretations around what constitutes consent/what counts as functionality and what counts as clear information.
What will this affect?
- Core functionality (shopping baskets, sign-in) –
- Tracking (and 3rd party tracking
- A/B and multivariate testing
- Any behavioural advertising –
- Any regular digital advertising
What we know works
The DCMS has said that the voluntary frameworks published by both the Internet Advertising Bureau (IAB) and the European Advertising Standards Alliance (EASA) would be considered compliant with the act but that they are not the only solutions to the issues. They have also been very clear that they are likely to be very tough on what constitutes essential site functionality (shopping baskets would be acceptable, recommended products would not fit in essential functionality)
- What constitutes consent (opt-in, opt-out, what level of granularity is required) –
- Who is responsible for compliance when advertising (the publisher who is displaying an ad, the network arranging distribution of the ad or the advertiser who is paying for the marketing) –
- Level of compliance with other countries required. In theory if a person from Germany visited the site then we would be subject to the German interpretation of the Directive, despite being UK based and UK compliant.
Worst Case Scenario
- The strictest interpretations of the directive are followed. We would probably end up needing a pop-up before any of our sites which explained which cookies we used, why we used them, and then giving the option of itemised consent to the user. This would need to be presented whenever a visitor came to any of our sites as we wouldn’t be able to store the answers past that session.
- In addition we would have to have IP geolocation in place to either block or present customised warnings/solutions to non-uk visitors.
- We would have to take extra care when planning campaigns to ensure that any digital advertising on our behalf is totally compliant/run through compliant networks/on compliant sites. – The detail on our tracking plummets as people are forced to opt-in.
Best Case Scenario
Currently consent is considered to be given because browser settings allow you to choose the level of cookie you’re comfortable with. Ideally, this would continue to cover all the responsibilities in the directive.
If we were to run behaviourally targeted advertising then we would likely need to sign up to the IAB’s technical solution (not yet created), but this is likely to be handled by the networks rather than individual companies.
We have a year and most people seem to be waiting to see what other companies do. Unfortunately it looks like much of the clarity will come from breaches of the regulations being pursued.“