Found Blog

Cookie Monster

The EU Cookie Directive Saga

Posted on in the categories

As the deadline for compliance with the EU ePrivacy Directive fast approaches, the owners of every web property aimed at consumers here in the UK are frantically developing solutions. Or at least they should be, shouldn’t they?

As I write this I have surfed through a few dozen ‘household name’ retailer web sites and have seen no evidence of any of them attempting to get ahead of the game and implement a compliance solution to this regulation early. Maybe I’ve missed all the ones that have, and maybe the ones I haven’t missed have a solution ready to roll out come May. But somehow I doubt it.

So what is this directive thing?

Just in case you haven’t got a clue what I’m talking about I’ll summarise.

Nearly all websites use cookies. If you work in online, or are even a tiny bit digital, you are probably aware of these quite badly named packets of digital information. Cookies sit on your hard disk, placed there by the websites you visit as you shop, read, play, learn, and whatever else you do on the Internet. They are the reason Amazon for example knows what you bought and can suggest other products to you. They enable us to analyse the web sites we manage and see how long people spent on them, how many pages they viewed, and what you typed in to get to the site. They are the reason a website remembers what you put in your shopping basket and they are the tracking that enables a vast amount of digital marketers to prove their worth and earn their money.

So the ‘EU Privacy Directive’ or the ‘EU Cookie Directive’ as some are dubbing it, is asking that all websites dropping cookies of the intrusive kind (pretty much all of them) get consent from their visitors before dropping any cookies; meaning that (almost) every single site that drops a cookie will have to obtain consent by asking ‘Are you happy for us to drop cookies?’ or face a possible €500,000 fine!

This poses all sorts of problems for all sorts of people. What most of these people are scared of is that when presented with the option to turn off cookies, that users will take it. Thus leaving web publishers, online marketers and digital strategists everywhere; flailing their arms about wildly and screaming loudly about not being able to do their jobs.

Panic button

Surely this is mainly an education piece? If people knew that on the whole cookies do good stuff to make their journey across the web more pleasant and their experience of websites better then, they wouldn’t be so fearful of them.

So where has the fear come from?

I think that part of it harks back to the days of pop up banners, relentless email spam and websites with animated gifs of unicorns. The internet was, and to some degree still is, seen as untrustworthy and predominantly the domain of hackers, scammers, pirates, porn-stars and phishers. However we’ve come a long way since then, even your mum has a Facebook account now, and online shopping is becoming the norm and not just reserved for the geeks and the nerds. Not to mention the massive revenue it generates for the UK economy.

The trouble is that an element of online advertising is proliferating this image and potentially making this stereotype worse. You’ve probably experienced this, the feeling that a website is stalking you across the web. Maybe you looked at a pair of shoes on a website, possibly with no intention of buying them, and now everywhere you go that pair of shoes and similar ones appear on banners as you try and read the news or do your grocery shopping. This is called behavioral retargeting and most people get a bit spooked out by it, including me. People who are naturally a little bit suspicious see these banners and ads stalking them across the web and freak out in an anti-1984, ‘they’re all out to get me’ , cookie deleting rage, well I did the first time I experienced them anyway.

Don’t get me wrong, this is just advertising, done in the right manner behavioral retargeting could be really powerful. If the album I had just read two reviews of was later on in the week brought back to my attention with a decent discount; I would certainly be more likely to make a purchase, and it would almost definitely be more relevant to me than a traditional banner ad. At the moment however, in the way most companies are using it, its too broad and too general to work for me personally.

So back to the problem..

How do you inform users that you are using cookies on your sites in such a way as to not make them want to turn all of them off? And here is where all the debate is at: how far do we have to take our actions to comply? But if the big merchants aren’t complying, why should the little guys?

The regulations state that both first party (cookies dropped specifically by and for the website you are visiting) and third party cookies (cookies dropped by the website you are visiting on behalf of another website e.g. google analytics cookies) both need full consent from the website visitor before they are dropped. The only exceptions are likely to be cookies that are needed to make online shopping baskets work and security cookies like those used in online banking. So that leaves a whole lot more in the cookie tin that every website will need to ask consent about before dropping!

Pop-up warning

I have seen solutions ranging from the blatantly obvious drop down bar that appears and describes what each cookie is and what it does, to the discretely located sticker that rolls over to reveal the information. The problem here is that the guidelines are fuzzy and that the potential harm that could be done by a large percentage of users turning off cookies is huge.

Can we rely on the browsers to implement a solution in time for us not to act upon this? Put simply – No.
The ICO makes it clear that ‘relying on browser settings will not be sufficient’ and even if the browsers implement a solution, getting everyone on those browsers will take time. Implementing a different solution for specific browsers will get messy and fiddly.

The stats out there are quite frightening, the ICO’s own website shows this opt-in message at the top of its website (dare I say not really designed with much thought about conversion behind it).

ICO warning

This graph courtesy of Vicky Brock, @brockvicky shows what is likely to happen to web analytics if you implement that solution!

ICO traffic before and after

For affiliate publishers, performance marketing agencies and networks alike the above is a very scary thought. If even half of this kind of drop off in cookies was across the board it would be disastrous. No cookies = no commissions = no jobs?

What can you do?

So the race is on to find a way to comply with the minimum impact, and to educate the world (or at least the UK) about the real positive value of cookies.

Videos like this certainly help.


How can cookies make your surfing experience convenient?Explania


The big cookie contest Explania

After this directive becomes active I think the worst offenders of the biggest sites will be the ones who will potentially be targeted and fined, if any. You would hope it won’t be Joe Bloggs with his small blog on fly fishing that he has put Google analytics tracking on. But everyone in-between should be looking to at least show that they have in some way tried to comply with these rather harsh and potentially damaging new regulations.

So what are we going to do? The responsible thing… as little as possible, but enough to show that we are willing to make an effort to comply. Then we’ll watch the big boys and see what they implement, one of them is bound to get it right, and one or two might just be made an example of by the ICO. Interesting times ahead.

Interesting related articles:

http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html
http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/

Helpful Advice:

http://www.iabuk.net/blog/reminder-of-the-ico-advice-do-a-cookie-audit-start-planning

Regulation guides:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/cookie_rules_prepare.aspx
http://www.cookielaw.org/media/2398/eu_directive_published_version.pdf

Cookie Monster image courtesy of the excellent ssoosay http://www.flickr.com/photos/ssoosay/

Discussion 8 comments

  • Anonymous

    This article is on the nail in many respects. How are sites supposed to make revenue to provide jobs and free content when their advertising income would be so adversely affected by the implementation of the law?

    At cookiecert.com (recently launched) we have created a cookie database for people to quickly and easily and see if their site is compliant under the current rules. We are providing a free consent tag for people to get compliant fast with minimal effort.

    Great article!

    January 31, 2012 at 4:06 pm
  • David McAlinden

    This is a very interesting legislative area at the moment. The ICO have confirmed that the lead-in period for companies to develop methods to comply with the revised Regulation will end in May 2012. So there are roughly 4 months for everyone to get their house in order.

    I’m not sure that even the ICO banner method, outlined above, will satisfy the regulations, as it is arguable that this method implies consent by the website user. If this is insufficient, it will mean a move to a much more invasive consent method.

    Advertising networks and other third parties shall probably experience great difficulty obtaining consent for their cookies as they may not operate or have any control over the websites that they advertise. So how do they comply with the Regulations?

    A solution would be to contractually oblige the website operator to obtain consent for these third party cookies. However, as you will be aware, this is very difficult to obtain.

    I think the ‘wait and see’ approach will be emulated by a lot of parties. 

    What must also be borne in mind is that as the Regulations take effect, website users and the general public will become more aware of the purpose and usage of cookies. As the general level of knowledge increases, the threshold for what is acceptable for compliance with the Regulations may decrease, as advised by the ICO.

    February 1, 2012 at 12:36 pm
  • Keith Horwood

    Econsultancy have posted 3 different solutions to complying with the EU Cookie Law, and the pros and cons of each

    March 6, 2012 at 9:25 am
  • Anonymous

    I am currently away on holiday today, I will be checking my emails intermittently. Any urgent enquiries should go to publishers@found.co.uk or a message can be left on 0207-653-6709. I will be back in the office as usual on Mon 12th March

    March 6, 2012 at 10:04 am
  • Keith Horwood

    Three approaches to compliance, and the pros and cons of each have been posted on econsultancy - 
    http://econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance

    March 6, 2012 at 9:40 am
  • Anonymous

    I am currently away on holiday today, I will be checking my emails intermittently. Any urgent enquiries should go to publishers@found.co.uk or a message can be left on 0207-653-6709. I will be back in the office as usual on Mon 12th March

    March 6, 2012 at 10:01 am
  • Anonymous

    I am currently away on holiday today, I will be checking my emails intermittently. Any urgent enquiries should go to publishers@found.co.uk or a message can be left on 0207-653-6709. I will be back in the office as usual on Mon 12th March

    March 6, 2012 at 1:14 pm
  • Pingback: Whose Data is it anyway? Firefox Encrypts Search Data | Found

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>