We blogged last week about the EU Directive on ePrivacy – Cookies and The EU Directive: Don’t Panic and Cookies and The EU Directive: What Brands Need To Do
The Information Commissioners Office has now (with less than 30 days to go) published some guidelines. They state some important points:
- The Directive applies to mobile devices and applications, as well as “normal” websites; earlier EU/ UK government documents didn’t always explicitly state this, but it was widely assumed
- That Flash cookies (i.e. Locally Stored Objects) are covered in case of any doubt
- Acknowledges (see our earlier posts) that browsers do not currently have the functionality to a) categorise cookies by purpose and b) offer consumers an easy way to control cookies by these categories (and therefore purpose)
- States that browser settings are currently not therefore suitable to “rely on” for getting consent from consumers, despite the Directive mentioning them
- That adding consent clauses to site Terms and Conditions is acceptable, but consumers have to be alerted to this change – they must know about it to therefore give consent
- That cookies set as a result of choosing to use a particular site feature also require consent (slightly contradicting earlier suggestions that any cookies required for site functionality were exempt). To be explicit: only cookies that are “strictly necessary” are exempt – e.g. a cookie that enables a shopping basket to work
- Further examples of how to gain consent for particular types of cookies might be issued in future by the ICO
Translating the ICO Guidance Into Action
So what do brands actually need to do? Here are our suggestions, replacing our earlier post on the topic – but of course, we also recommend checking with in-house lawyers, and keeping an eye on the ICO site and industry press. As we’ve commented before, the 25th is just the start.
1: Audit your cookies and tags
The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.
We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being developed with privacy issues in mind. Please email your contact for more info.
It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.
2: Categorise your cookies and tags
As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:
Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.
The ICO advice builds on this, and makes clear that cookies should be obsessed for how intrusive they are, and suggests one way to do this is to imagine them on a sliding scale – including 3rd party cookies.
3: Update Privacy Policies and Site Terms and Conditions
4. Decide how to tell consumers – and plan site changes
The ICO have (finally) been clear – brands need to tell consumers that they are using cookies and alert them to any update to Privacy Policies or site Terms and Conditions after the 25th of May, including linking to information about the policies of third party cookies.
The ICO document discusses two options for informing consumers:
Splash pages or pop-ups which the ICO discount as possibly irritating, and they seem to miss that many browsers block most pop-ups as standard, anyway.
Text in the footer or header which highlights/scrolls when a cookie needs to be set – this could be a good option, or incredibly ugly – and the ICO seem to have missed that most consumers rarely see the footer of a site, as it’s below the fold.
Sites also need to make clear if any site functionality drops a cookie – e.g. ticking a “remember me” box when logging in.
This area is challenging – brands will need to alert consumers without scaring them, or ruining the aesthetic of their websites. No doubt we’ll see some good and some terrible attempts at this in the comings weeks; our initial suggestions are:
Consider a header “accordion”
This could be set to only appear on first visit to the site after the 25th (using a cookie, ironically) and then re-enabled for subsequent changes. This of course only applies if the user doesn’t need to give consent on every visit – but if that becomes requried, the industry is going to have wider issues to worry about, anyway.
The current usage of this technology by Amazon and Yahoo! is shown below:
Add text to functionality options
4: Monitor the Press
This will be the most important thing after the 25th May – as further DCMS/ICO guidelines may be published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.
We’ll post further posts and update this one as relevant.