There has been panic and confusion surrounding the new EU ePrivacy Directive – dubbed the ‘cookie law’ – which came into force last month, with the intention of raising consumer awareness about how information is collected and stored by web pages.
Joe Wilson, e-marketing analyst at animal charity the RSPCA says: “At one point, everyone was a bit worried there would have to be a big pop-up on entry for every single site visitor, where they just tick a box saying ‘no’ and we wouldn’t be able to serve any cookies at all.”
The charity was not alone in its concerns. The UK’s communications minister Ed Vaizey commented that the directive was “well-meaning regulation that will be very difficult to work in practice”, while others have said the Information Commissioner’s Office (ICO), charged with regulating the law, has failed to provide enough information to brands around how to act. So what are brands doing to address the directive, and will it be enough for consumers?
Michael Ross, co-founder of Figleaves.com, advises ecommerce companies through his firm eCommera and is also an advisory board member of online retailer Glasses Direct. He says the ICO, by its own admission, has given relatively vague advice on what brands have to do to comply.
“When I spoke to the ICO, it didn’t want to be prescriptive because in other environments where it has been prescriptive, it hasn’t gone down very well. So it wanted to be vague, but obviously being vague has its consequences.”
In simple terms, the new law requires all websites to ask visitors for permission to store information about them – information that is often held in text files called cookies. While some cookies are essential to the smooth running of a site – for example, those used to remember what someone has put in an online shopping basket – others could be considered ‘intrusive’, such as those used to analyse users’ behaviour and to target ads according to their interests. The ICO has said that ‘essential’ cookies are likely to be exempt from complying with the rules, and it will focus its regulatory efforts on the most intrusive, ‘non-essential’ cookies.
As the laws are now fully in force, websites should already be seeking consent from visitors if they intend to use non-essential cookies. For those that have been slow to react, one of the key pieces of advice offered by Mandeep Masutay, vice chair of the ISBA digital action group and digital marketing manager at Molson Coors, is to carry out a site audit to identify exactly what cookies are in place and whether they are essential to its operation.
Recent research by Eccomplished, which looked at how 100 online retailers planned to respond to the new directive, revealed that 67% have been carrying out audits to meet the new requirements.
The RSPCA is one organisation that did act early, working with iSpy Marketing to carry out an audit. “[The audit] showed us how many cookies we were serving and which categories they were in – which are essential for the site, which can be classed as non-essential and which can be classed as non-essential and intrusive,” says Wilson.
“Without that audit it would have been hard but the fact that we have carried it out is also a key part of compliance with the law. You need to be able to show you have taken the time to do that work.”
It is something that Fujitsu also made a priority, and found a valuable experience. UK marketing director Simon Carter says: “It was very useful to carry out an audit to assess whether site cookies were really needed. For example, we recently switched to a different web statistics package and found that some pages still included cookies used for the old system. The audit allowed us to identify and remove these. The exercise also prompted a wider discussion of online privacy and a greater awareness of those issues within the business, which has proved positive.”
Just days before the cookie law came into force last month, the ICO changed its guidance to indicate that this approach, known as ‘implied consent’, would not breach its interpretation of the law. But if the ICO doesn’t make websites ask users to explicitly opt in to receiving cookies, the European Commission could eventually rule that it is not enforcing the law effectively. Until that happens, however, it seems the most common response to the law is for websites to inform users that continued use of the site counts as consent.
67 per cent of companies have carried out audits into cookie use on their websites
The RSPCA’s Wilson says the charity has taken similar action: “We will either provide specific instructions on that page or links to specific instructions of how users can opt out of the cookies classed as non essential and intrusive.” He cites display tracking cookies, used for targeting advertising across multiple different websites, as an example.
While carrying out audits and updating privacy policies might sound straightforward, there are challenges involved in compliance. Wilson says one of the biggest challenges the RSPCA faced was project managing the activity.
“There are stakeholders all round the organisation – me and my colleagues on the web team, the IT team, the legal department, the data protection department and our fundraising team. All of them had a big stake in this and we had to make sure they all knew what we were doing and how it affected them, making sure we ticked all their boxes. We have quite a few microsites around the organisation too, so we had to ensure they weren’t left out and people knew exactly what they needed to do.”
This view is supported by David Ellison, marketing services manager of ISBA. “A number of our members have been preparing in earnest for the EU privacy directive since last year,” he says. “We have suggested a multi-departmental approach to finding a solution, rather than simply leaving it to individual silos, such as marketing or IT departments, to get on with it.”
Another key challenge lies in minimising the impact of any site changes on the user experience. It is an area Fujitsu will continue to monitor after taking the bold move of introducing a bar asking each visitor if they would like to allow cookies. “We tried to make the design as effective as possible without disrupting the functionality of the website,” says Carter. “We hope the opt-in bar will have minimal impact on user experience but are keen to get feedback on this after the changes appear.”
The Countryside Council for Wales, which has just launched a website for the Wales Coast Path, has also been offering an opt-in bar asking visitors to consent to cookies, although web editor Cameron Edwards says it made sure it was using as few cookies as possible in the build phase. “We only utilise a ‘core’ default cookie, a few Twitter third-party cookies and a stats cookie.” The consent box details all of the cookies used.
Edwards says that one month after introducing the changes, the site was attracting between 25,000-30,000 people a week, and very few have opted out. “We are only seeing about 4-5% that aren’t consenting. Our policy was really one of just ‘fessing up’ to everything we use without necessarily scaring people, and minimising the look of the consent window so people still have a quality navigation experience. I’m not anticipating a huge loss of traffic. I have not seen any strong evidence that we are losing people because we’re telling them we use a web stats package.”
One of the main concerns from brands comes from the fact that site analytics cookies, which enable brands to record traffic numbers to their site, are being regarded as ‘non-essential’. Site owners are therefore worried they would have to ask for explicit permission to use them.
The ICO trialled this on its own site, requiring consumers to tick a box to allow analytics cookies to be used. It saw a 90% decrease in recorded traffic. Site owners fear, therefore, that using an active opt in could mean they will only be able to understand the behaviour of one in 10 of their customers.
It is something that has been concerning Carter at Fujitsu. “The main challenge in the future will be the impact on visitor tracking,” he says. “Tracking statistics are used to analyse anonymous visitor behaviour and let us identify areas of the site needing improvement. They also help us measure the success of online marketing campaigns.
“We don’t know how many people would disallow cookie use, so we don’t know the extent to which this would skew the data we collect on campaigns [if explicit consent becomes necessary]. We won’t have an accurate view of overall site visitor numbers, although we will be able to compare results from different pages. Finding new ways to analyse data effectively will be a challenge.”
As Figleaves founder Ross says, this could cause particular problems for retailers, or for brand owners selling direct to consumers and making marketing decisions using web analytics. “To be blunt, cookies are essential to run your business, so if you give people an opt in where 70, 80 or 90% of visitors go dark, you just can’t run your business like that – there is no way round that. I think people in a commercial environment could essentially not be complying with the law – it’s complicated.”
A study commissioned by consultancy Evidon shows that the majority (57%) of UK consumers claim not to be aware of the new directive, while just 31% believe they have a good understanding of the current rules about online data privacy. This would suggest that education – not an ultimatum – is the most sensible way forward for brands, to avoid consumers panicking and choosing not to opt in.
He adds that “doing something” means having “a link on the site footer specifically explaining what cookies you use, and how they can be deleted and disabled – and that’s it.”
The ePrivacy Directive may be as clear as mud, but the spirit of the law is to be applauded. It also presents an opportunity to deepen customer relationships on the basis of renewed trust.
53% of UK consumers would have a more favourable opinion of a company that asked permission to collect personal information.
48% of UK consumers would be more likely to purchase from a company they think is honest about how it collects and uses personal information.
57% of UK consumers are unaware of the EU’s ePrivacy Directive.
The large majority of UK respondents could not think of any positive examples of brands or websites in terms of the way they use data or information collected about them online. However, by far the most commonly mentioned brand/website is Amazon, with 13% of respondents citing it as a positive example.
Nearly two in every five (38%) consumers are happy for companies to use information they have collected about them online to show relevant offers, discounts and loyalty bonuses, provided they are transparent about it and give them control over their data. However, nearly a quarter (23%) would be unhappy about this.
Director of online, BT
The approach BT has taken provides users with easy-to-understand, up-front information about cookies – the different types and what they do – so that they can make an informed choice. We are using the language agreed with the International Chamber of Commerce to describe the types of cookies we use. When customers visit bt.com, they see a pop-up box giving them the option to change settings. Customers can clearly see that they are able to make a choice about various cookies and the effects of doing so. Customers can also change the settings whenever they wish.
So far, we can see that customers are generally choosing to keep the cookies we use to provide the best experience on our web pages, and we’ve been pleased by customers’ responses to the approach – it is not deterring them from continuing their visit to the site.
Our priority throughout has been ensuring customers have the best possible experience of the site while managing the requirements of the directive. We feel that it is best to be informative about our cookie use and allow the customer to make a choice, with a clear explanation of what happens with their online experience on the site based on that choice.