UPDATE: we’ve posted a revised set of steps following the ICO’s guidance notes here – please read these instead.
In part one we outlined the EU Directive affecting cookies and some of the controversy and interpretations surrounding it; below we discuss the practical steps we suggest brands should take before the 25th May, drawn from our own reading and briefing notes from the IAB UK, DMA, IPA and other sources:
1: Audit your cookies and tags
The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.
We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being developed with privacy issues in mind. Please email your contact for more info.
It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.
2: Categorise your cookies and tags
As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:
“Cookies necessary for the provision of service: In this case, you may continue to use cookies but you should explain to consumers why you are using them. For example, tell consumers who use an online banking service that cookies are there for security purposes and that they cannot use the service without them.
Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.
Helpful non-intrusive cookies: Cookies which fall into this category would include cookies which track anonymously how visitors move through your organisation’s web pages. You will need to get consent for the use of such cookies in your privacy policy.
Obsolete cookies: There is no point in asking for consumers’ consent to the use of cookies if they are irrelevant. The audit provides a good opportunity to remove the use of such cookies from your website and will ensure compliance with the requirement in the Data Protection Act 1998 that personal data should not be kept for longer than is necessary.”
3: Update Privacy Policies and Consider Site Ts and Cs
Until the full DCMS guidelines are published (sometime after the 25th May – see part one), knowing exactly how the DCMS and ICO will require websites to gain consent for dropping cookies is impossible. At the very least, we strongly suggest brands add text to the existing privacy policy pages linked to from the site footer, or via a new footer link “Cookies” depending on in-house style. This should cover the different types of cookie as categorised above.
We also strongly suggest talking to in-house lawyers at this stage, but especially on the point of consent. It may be that site Terms and Conditions will become the place to request consent in the DCMS guidelines. The theory is that by using the site the visitor accepts the site Ts and Cs (a standard mechanism now) and the Ts and Cs can be amended to include giving consent as a result of using the site. That may be a change worth making sooner rather than later.
4: Monitor the Press
This will be the most important thing after the 25th May – as detailed DCMS/ICO guidelines are published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.
We’ll add further blog posts as this develops.
UPDATE 6/5: Some government guidelines might be published before the 25th according to some sources; however how much time brands will then have to act is unclear; we still suggest following the steps above.