Cookies outlook begins to clear

There has been panic and confusion surrounding the new EU ePrivacy Directive – dubbed the ‘cookie law’ – which came into force last month, with the intention of raising consumer awareness about how information is collected and stored by web pages.

Joe Wilson, e-marketing analyst at animal charity the RSPCA says: “At one point, everyone was a bit worried there would have to be a big pop-up on entry for every single site visitor, where they just tick a box saying ‘no’ and we wouldn’t be able to serve any cookies at all.”

The charity was not alone in its concerns. The UK’s communications minister Ed Vaizey commented that the directive was “well-meaning regulation that will be very difficult to work in practice”, while others have said the Information Commissioner’s Office (ICO), charged with regulating the law, has failed to provide enough information to brands around how to act. So what are brands doing to address the directive, and will it be enough for consumers?

Michael Ross, co-founder of Figleaves.com, advises ecommerce companies through his firm eCommera and is also an advisory board member of online retailer Glasses Direct. He says the ICO, by its own admission, has given relatively vague advice on what brands have to do to comply.

“When I spoke to the ICO, it didn’t want to be prescriptive because in other environments where it has been prescriptive, it hasn’t gone down very well. So it wanted to be vague, but obviously being vague has its consequences.”

In simple terms, the new law requires all websites to ask visitors for permission to store information about them – information that is often held in text files called cookies. While some cookies are essential to the smooth running of a site – for example, those used to remember what someone has put in an online shopping basket – others could be considered ‘intrusive’, such as those used to analyse users’ behaviour and to target ads according to their interests. The ICO has said that ‘essential’ cookies are likely to be exempt from complying with the rules, and it will focus its regulatory efforts on the most intrusive, ‘non-essential’ cookies.

As the laws are now fully in force, websites should already be seeking consent from visitors if they intend to use non-essential cookies. For those that have been slow to react, one of the key pieces of advice offered by Mandeep Masutay, vice chair of the ISBA digital action group and digital marketing manager at Molson Coors, is to carry out a site audit to identify exactly what cookies are in place and whether they are essential to its operation.

Recent research by Eccomplished, which looked at how 100 online retailers planned to respond to the new directive, revealed that 67% have been carrying out audits to meet the new requirements.

The RSPCA is one organisation that did act early, working with iSpy Marketing to carry out an audit. “[The audit] showed us how many cookies we were serving and which categories they were in – which are essential for the site, which can be classed as non-essential and which can be classed as non-essential and intrusive,” says Wilson.

“Without that audit it would have been hard but the fact that we have carried it out is also a key part of compliance with the law. You need to be able to show you have taken the time to do that work.”

It is something that Fujitsu also made a priority, and found a valuable experience. UK marketing director Simon Carter says: “It was very useful to carry out an audit to assess whether site cookies were really needed. For example, we recently switched to a different web statistics package and found that some pages still included cookies used for the old system. The audit allowed us to identify and remove these. The exercise also prompted a wider discussion of online privacy and a greater awareness of those issues within the business, which has proved positive.”

The Eccomplished research also showed that 67% of companies are updating and reconfirming their privacy statements. As Ross says, “The ICO has said it is going from a situation where information about cookies is buried on page 47 of [a brand’s] privacy policy to a situation where most people will have links in their footer and talk about what cookies they use.

“All the businesses I work with are taking the approach of extracting information about cookies from their privacy policy, putting it into a cookie policy and putting a link on the home page footer – but absolutely not giving ‘opt in’ or ‘opt out’ [options] to allow the site to work without cookies.”

Just days before the cookie law came into force last month, the ICO changed its guidance to indicate that this approach, known as ‘implied consent’, would not breach its interpretation of the law. But if the ICO doesn’t make websites ask users to explicitly opt in to receiving cookies, the European Commission could eventually rule that it is not enforcing the law effectively. Until that happens, however, it seems the most common response to the law is for websites to inform users that continued use of the site counts as consent.

Since March, the John Lewis Partnership has included detailed cookies-related information on johnlewis.com and waitrose.com – accessible on every page via a link in the sites’ headers or footers. Fujitsu has also updated its privacy policy to describe the way each cookie is used, and provides contact details for people requiring more information.

67 per cent of companies have carried out audits into cookie use on their websites

The RSPCA’s Wilson says the charity has taken similar action: “We will either provide specific instructions on that page or links to specific instructions of how users can opt out of the cookies classed as non essential and intrusive.” He cites display tracking cookies, used for targeting advertising across multiple different websites, as an example.

While carrying out audits and updating privacy policies might sound straightforward, there are challenges involved in compliance. Wilson says one of the biggest challenges the RSPCA faced was project managing the activity.

“There are stakeholders all round the organisation – me and my colleagues on the web team, the IT team, the legal department, the data protection department and our fundraising team. All of them had a big stake in this and we had to make sure they all knew what we were doing and how it affected them, making sure we ticked all their boxes. We have quite a few microsites around the organisation too, so we had to ensure they weren’t left out and people knew exactly what they needed to do.”

This view is supported by David Ellison, marketing services manager of ISBA. “A number of our members have been preparing in earnest for the EU privacy directive since last year,” he says. “We have suggested a multi-departmental approach to finding a solution, rather than simply leaving it to individual silos, such as marketing or IT departments, to get on with it.”

Another key challenge lies in minimising the impact of any site changes on the user experience. It is an area Fujitsu will continue to monitor after taking the bold move of introducing a bar asking each visitor if they would like to allow cookies. “We tried to make the design as effective as possible without disrupting the functionality of the website,” says Carter. “We hope the opt-in bar will have minimal impact on user experience but are keen to get feedback on this after the changes appear.”

The Countryside Council for Wales, which has just launched a website for the Wales Coast Path, has also been offering an opt-in bar asking visitors to consent to cookies, although web editor Cameron Edwards says it made sure it was using as few cookies as possible in the build phase. “We only utilise a ‘core’ default cookie, a few Twitter third-party cookies and a stats cookie.” The consent box details all of the cookies used.

Edwards says that one month after introducing the changes, the site was attracting between 25,000-30,000 people a week, and very few have opted out. “We are only seeing about 4-5% that aren’t consenting. Our policy was really one of just ‘fessing up’ to everything we use without necessarily scaring people, and minimising the look of the consent window so people still have a quality navigation experience. I’m not anticipating a huge loss of traffic. I have not seen any strong evidence that we are losing people because we’re telling them we use a web stats package.”

One of the main concerns from brands comes from the fact that site analytics cookies, which enable brands to record traffic numbers to their site, are being regarded as ‘non-essential’. Site owners are therefore worried they would have to ask for explicit permission to use them.

The ICO trialled this on its own site, requiring consumers to tick a box to allow analytics cookies to be used. It saw a 90% decrease in recorded traffic. Site owners fear, therefore, that using an active opt in could mean they will only be able to understand the behaviour of one in 10 of their customers.

It is something that has been concerning Carter at Fujitsu. “The main challenge in the future will be the impact on visitor tracking,” he says. “Tracking statistics are used to analyse anonymous visitor behaviour and let us identify areas of the site needing improvement. They also help us measure the success of online marketing campaigns.

“We don’t know how many people would disallow cookie use, so we don’t know the extent to which this would skew the data we collect on campaigns [if explicit consent becomes necessary]. We won’t have an accurate view of overall site visitor numbers, although we will be able to compare results from different pages. Finding new ways to analyse data effectively will be a challenge.”

As Figleaves founder Ross says, this could cause particular problems for retailers, or for brand owners selling direct to consumers and making marketing decisions using web analytics. “To be blunt, cookies are essential to run your business, so if you give people an opt in where 70, 80 or 90% of visitors go dark, you just can’t run your business like that – there is no way round that. I think people in a commercial environment could essentially not be complying with the law – it’s complicated.”

A study commissioned by consultancy Evidon shows that the majority (57%) of UK consumers claim not to be aware of the new directive, while just 31% believe they have a good understanding of the current rules about online data privacy. This would suggest that education – not an ultimatum – is the most sensible way forward for brands, to avoid consumers panicking and choosing not to opt in.

Ross believes most businesses that offer information about how they use cookies will not fall foul of the ICO: “I think common sense is prevailing. The smart ones will say we have spoken to enough of our peers, we are doing something and won’t lose sleep over it.”

He adds that “doing something” means having “a link on the site footer specifically explaining what cookies you use, and how they can be deleted and disabled – and that’s it.”

The ePrivacy Directive may be as clear as mud, but the spirit of the law is to be applauded. It also presents an opportunity to deepen customer relationships on the basis of renewed trust.