The latest advice on the UK response to revised e-privacy directive on site cookie usage
June 23rd update: The impact of the cookie law on analytics
I find this scary - a death knell to the "most measurable medium anywhere". Thanks to analytics specialist Vicky Brock asking for information on visits tracked by Google Analytics to the Information Commissioners website - we can get a pretty good idea on how many would be happy to opt-in to analytics - the answer is very few and certainly enough to skew the stats so they're meaningless. The massive drop in traffic recorded is due to the implementation of an opt-in to cookies as shown in the next entry in this post. Time to dust off those old log-file based analytics tools in a years time I think...
Vicky filed a freedom of information of information request. Thanks to Mark Brownlow for alerting us to this - she has the full data set here.
May 25th update: New privacy law comes into force
Or does it? We've been tracking the Information Commissioner's website and the latest new privacy law guidance (PDF) on the 25th May states that:
25 May 2011: ICO gives website owners one year to comply with cookies law Organisations and businesses that run websites aimed at UK consumers are being given up to 12 months to ‘get their house in order’ before enforcement of the new EU cookies law begins.
So, there's no need to panic - there's one year to comply - so the deadline in reality is 25th May 2012 - that's what to tell any colleagues or clients who ask. But you'll want to plan, this is the best practical guidance on issues to consider to comply I've seen, although it's all subject to further clarification by the ICO over the year and depending on how others interpret it.
It's less clear what the implications are for Google Analytics, used by many sites, Silktide speculate on the implications of the cookie privacy law for web analytics and this plugin has been developed which shows one example of what may be required for compliance. Yuk!
In the meantime it's worth taking a look at the new update to ICO website update for an idea of how compliance may change privacy messages and encourage opt-in. Whoa - will all sites need to look like this!
May 3rd update: on clarification of company action needed
With less than a month to go before the May 25th deadline some are scaremongering with headlines like "Websites face £500k fine for breaching 'cookie' law".
That said, it is worth noting that there is indeed now a higher level of fine specified by the ICO, but this applies to all marketing activities covered by the May 25th update to the Privacy and Electronic Communications Regulations including sending unwanted emails and text.
The purpose of my update is to reassure marketers and site owners that there is now more clarity on the compliance required and it seems certain that in the UK companies will be given considerably longer than the May deadline. I also wanted to point you to the most authoritative sources giving guidance.
I say this following comments made by the person who gives guidance and clarification on the law, namely, Information Commissioner Christopher Graham. Speaking at the UK DMA’s Data Protection Conference earlier this month, the essence of the advice is summarised in these 2 documents from the UK DMA giving guidance on implications and actions to take:
My summary of these is that:
1. There will be a phased implementation meaning that companies will not be fined immediately, so long as they are taking steps to address the new law.
2. It's hope that browser settings may be used to manage the issue which is clearly going to take some time to say the least, but it seems that some form of consent will be required where cookies aren't essential to operation of the service.
3. Some forms of cookies for basket, session management and security essential for Ecommerce sites will be exempt. However, it's still not clear how cookies for analytics will be treated - these affect nearly all sites!
Previous update: The cookie opt-in deadline
In this post we hope to alert all website managers and owners to the rapidly approaching 25th May 2011 deadline to incorporate "cookie opt-in law" into their sites. This deadline is set by EU members in Brussels as part of the "Citizens Rights Directive" 2009/136 ("CRD") which includes amendments to the E-Commerce Directive (2002/58/EC).
Our update on this law is based on the latest advice from Marketing Law (Osborne-Clarke) and Out-Law (Pinsent Masons) which are the two legal sites we always turn to for UK digital marketing law updates.
What could the cookie opt-in requirement mean?
To gain an idea of what the new e-privacy directive could mean, take a look at the British Airways site and its cookie disclosure policy.
At the very least the new law could require substantial increases in disclosure of tracking to be planned for. At the worst, similar to the BA site it could require opt-in to cookies before going into the site. Could all sites soon have to look like this…?!
What does "cookie opt-in" mean?
The requirement for new site visitors to opt-in before using a site is a scary one given the widespread use of cookies by most sites today for everything from personalisation to tracking. The implications for ad networks offering remarketing and retargeting are also massive, so why has there been so little coverage of this issue outside the specialist legal sites?!
The wording of the new, revised Article 5 (3) of the Privacy and Electronic Communications Directive was what surprised me:
"Member States shall ensure that the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user should only be allowed on condition that the subscriber or user concerned has given his or her consent, having been is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
As Out-Law pointed out, this suggests a requirement for cookie opt-in for new site visitors.
I can envisage the need for splash home pages similar to that on BA.com clearly requiring consent. But what happens when visitors arrive deeper in the site as is common - have the lawmakers considered this? I doubt it!
Will there be exceptions to mandatory cookie opt-in?
So far, so frightening, but Osborne Clarke suggest there may be wiggle room around explicit prior consent.
They note that in para 66 of the preamble to the CRD it states:
"Where it is technically possible and effective…the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. and at the end of 5 (3): "prior consent will not be required if the cookie is strictly necessary to deliver a service which has been requested by the user."
They go on to say that this has been "seized on" by the UK Government in its consultation document as the basis for its preferred approach to implementing Article 5 (3).
The consultation document by the government Department for Business Innovation and Skills (BIS) takes a practical view which I couldn't have expressed better myself:
"The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web."
The government consultation document goes on to recommend this option:
"Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime."
So for now it seems UK site owners can relax, although the final recommendations from the government aren't yet defined. However, if you operate in other markets there is still cause for concern. Watch this space!