Update: How to be ready for the EU Cookie Law – New ICO Guidance

We blogged last week about the EU Directive on ePrivacy – Cookies and The EU Directive: Don’t Panic and  Cookies and The EU Directive: What Brands Need To Do

The Information Commissioners Office has now (with less than 30 days to go) published some guidelines. They state some important points:

• The Directive applies to mobile devices and applications, as well as  “normal” websites; earlier EU/ UK government documents didn’t always explicitly state this, but it was widely assumed
• That the Directive applies to: “how you use cookies and similar technologies for storing information on a user’s equipment” which means future developments like Connected TVs will be covered by this
• That Flash cookies (i.e. Locally Stored Objects) are covered in case of any doubt
• Acknowledges (see our earlier posts) that browsers do not currently have the functionality to a) categorise cookies by purpose and b) offer consumers an easy way to control cookies by these categories (and therefore purpose)
• States that browser settings are currently not therefore suitable to “rely on” for getting consent from consumers, despite the Directive mentioning them
• That adding consent clauses to site Terms and Conditions is acceptable, but consumers have to be alerted to this change – they must know about it to therefore give consent
• That cookies set as a result of choosing to use a particular site feature also require consent (slightly contradicting earlier suggestions that any cookies required for site functionality were exempt). To be explicit: only cookies that are “strictly necessary” are exempt – e.g. a cookie that enables a shopping basket to work
• Further examples of how to gain consent for particular types of cookies might be issued in future by the ICO

Translating the ICO Guidance Into Action

So what do brands actually need to do? Here are our suggestions, replacing our earlier post on the topic – but of course, we also recommend checking with in-house lawyers, and keeping an eye on the ICO site and industry press. As we’ve commented before, the 25th is just the start.

1: Audit your cookies and tags

The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.

We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being  developed with privacy issues in mind. Please email your contact for more info.

It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.

2: Categorise your cookies and tags

As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:

“Cookies necessary for the provision of service: In this case, you may continue to use cookies but you should explain to consumers why you are using them. For example, tell consumers who use an online banking service that cookies are there for security purposes and that they cannot use the service without them.

Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.

Helpful non-intrusive cookies: Cookies which fall into this category would include cookies which track anonymously how visitors move through your organisation’s web pages. You will need to get consent for the use of such cookies in your privacy policy.

Obsolete cookies: There is no point in asking for consumers’ consent to the use of cookies if they are irrelevant. The audit provides a good opportunity to remove the use of such cookies from your website and will ensure compliance with the requirement in the Data Protection Act 1998 that personal data should not be kept for longer than is necessary.”

The ICO advice builds on this, and makes clear that cookies should be obsessed for how intrusive they are, and suggests one way to do this is to imagine them on a sliding scale – including 3rd party cookies.

3: Update Privacy Policies and Site Terms and Conditions

We strongly suggest brands add text to the existing privacy policy pages linked to from the site footer, or via a new footer link “Cookies” depending on in-house style. This should cover the different types of cookie as categorised above and clearly specify what they are used for and link to any 3^rd party information as relevant- the ICO documents states: “You must think also about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choose about what they will allow.” Remember that you should also provide links to any opt-out mechanisms that exist, too.

4. Decide how to tell consumers – and plan site changes

The ICO have (finally) been clear – brands need to tell consumers that they are using cookies and alert them to any update to Privacy Policies or site Terms and Conditions after the 25^th of May, including linking to information about the policies of third party cookies.

The ICO document discusses two options for informing consumers:

Splash pages or pop-ups which the ICO discount as possibly irritating, and they seem to miss that many browsers block most pop-ups as standard, anyway.

Text in the footer or header which highlights/scrolls when a cookie needs to be set – this could be a good option, or incredibly ugly – and the ICO seem to have missed that most consumers rarely see the footer of a site, as it’s below the fold.

Sites also need to make clear if any site functionality drops a cookie – e.g. ticking a “remember me” box when logging in.

This area is challenging – brands will need to alert consumers without scaring them, or ruining the aesthetic of their websites. No doubt we’ll see some good and some terrible attempts at this in the comings weeks; our initial suggestions are:

Consider a header “accordion”

This is something Amazon already do well – if you visit the.com site from the UK, a content “accordion” suggests you visit the .co.uk; Yahoo! do the same. It’s not hard to imagine these adapted to state something like: “This website uses cookies; under new EU law, we need your consent to use them – please click here” linked to the relevant information / opt out to gain consent (or not). Obviously this needs legal sign-off; but the mechanism is worth considering.

This could be set to only appear on first visit to the site after the 25^th (using a cookie, ironically) and then re-enabled for subsequent changes. This of course only applies if the user doesn’t need to give consent on every visit – but if that becomes requried, the industry is going to have wider issues to worry about, anyway.

The current usage of this technology by Amazon and Yahoo! is shown below:

Add text to functionality options

Where ever a site user takes action (click, ticks a box etc.) and enables site functionality that drops a cookie, add text telling them – e.g. “By ticking “remember me” you will set a cookie on your computer. Read more here” (linked to Ts and Cs/Privacy Policy as relevant). This of couse won’t be the easiest thing to integrate into site designs – another option might be a small piece of text “Uses Cookies – Hover for Info” which uses a hover-over tool tip to provide info and a link.

4: Monitor the Press

This will be the most important thing after the 25^th May – as further DCMS/ICO guidelines may be published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.

We’ll post further posts and update this one as relevant.