Practical plans for cookie compliance


When the EU’s new online privacy directive for website cookies comes into force on 25 May, companies will no longer have the choice of whether to complain or comply.

As the data commissioner Christopher Graham said last month, the time for relying on the former passed years ago. Now, brand websites have to work out how best to go about meeting the requirements of the law, which states that users must give informed consent for cookies to be placed on their browser collecting information about them.

Of course, the problem is that no-one yet knows exactly how the law will be enforced. Is explicit permission needed for every new cookie? Is offering an opt-in or opt-out to broad categories an acceptable alternative? These questions have not been definitively answered.

Nontheless, practical examples of how companies might respond have begun to emerge. Yahoo! has implemented a button on the advertising space it hosts allowing surfers to set what it calls AdChoices. It provides the opportunity to choose which kinds of ads are shown, or to opt out of all categories. For this to be effective, however, the user must be signed into a Yahoo! account.

AdChoices is not explicitly aimed at addressing the cookie directive, more at making the ads it serves more personalised and relevant. It is not yet clear whether it satisfies the law in itself.

TRUSTe, which provides certification services with an online privacy seal, has taken a different approach and a selection of web-based companies have now signed up to the service. Online ad network Specific Media and analytics company comScore are among those to have undergone an audit by the firm verifying they meet certain criteria in their approaches to data collection, retention and use, as well as privacy and choice.

Again, in public announcements the companies have shied away from making any claims that the privacy seal does in fact represent compliance, since no-one can yet say this for sure. But they would undoubtedly like to be seen as making the early running in setting what might come to be seen as accepted standards in this area.

While the level of enforcement remains a mystery, there might still be an opportunity to influence how regulatory policy develops. The European Commission will ultimately have the responsibility of deciding whether efforts of individual EU member states have been sufficient.

One presumes the best way to keep regulation light-touch is to show that web users can make clear choices as painlessly as possible. On the other hand, there is a perverse (though logical) argument that regulators might be scared off applying strict controls to websites if the online experience becomes an obvious annoyance to users.

But it would be a brave and probably foolish brand that put its customers through that in the hope of getting what it wants from the regulatory regime.


    Leave a comment