April 26th 2012
Website owners across the UK breathed a sigh of relief last year when The Information Commissioner's Office (ICO) announced it was giving businesses and organisations a year to “get their house in order” on changes to the Privacy in Electronic Communications Regulations (PECR).
This stay of execution before requiring organisations to gain consent prior to placing cookies on users' computers saw relief replaced with a short burst of optimism. Optimism that over the coming months, best practice pioneers on cookie regulations would emerge. Pioneers, from whom we could learn, develop and improve our websites.
But, rather inevitably, life seemed to get in the way.
No-one really came up with a comprehensive plan for cookies. No-one really got to grips with what required an opt-in and what didn’t. At times, even the messaging coming from the powers that be was confusing.
A year later, the cookie amnesty is coming to an end and unfortunately the vast majority of website owners are no closer to meeting the requirements of PECR than they were a year ago.
Cue the ICO reminding us that “this isn’t going away, it’s the law”.
It’s arguable that the time to act was a year ago (maybe even 18 months), but as it’s been a while since the initial excitement about the changes to cookie usage, it’s probably best to start with a quick refresher of the requirements…
This is about privacy, not technology
It’s not unfair to say that the general public (and indeed most b2b professionals) do not, on the whole, have a firm grasp of online privacy and security. You don’t have to think very long or very hard in order to find some stark contradictions between what people think and the way they behave. It’s normal to be apprehensive of things we don’t understand and the portrayal of ‘big brother brands’ mercilessly gathering up and selling on customer information has done little to reassure people.
But, and there’s always a but, you’re not required to obtain an opt-in for all cookies. The legislation states that “in instances where it is strictly necessary to do so for the functionality of the website and where that action is explicitly requested by the user” then no opt-in is required.
So, if a function or component of the website won’t work without a cookie – the shopping basket on an ecommerce site for instance – then no opt-in is required. In addition to this, the UK Government has taken the view that cookies placed for analytics are “minimally intrusive” and therefore opt-ins for such will not be actively sought by regulators (have a look at this useful post on EConsultancy for more information).
So, what does compliance look like?
When the amnesty ends on 26th May your websites will need transparent and prominent information on what cookies you use, whilst also giving users the ability to easily opt-in or opt-out.
- Do they contain personal information such as a user’s email address?
- How long do the cookies last once they have been placed?
- Are the cookies 1st or 3rd party (are they placed by the website itself or by a partner website or service)?
Understanding all of this will help you to develop a strategy for gaining consent. Or, help you discover whether you need to gain consent at all.
If you do need to gain consent from your users, then there are a few different methods to ensure you’re transparent and prominent about your cookie usage.
- A pop-up dialogue box could load when people arrive at the website, telling users what cookies are applied, what they are for and allowing them to consent or not. Until the user has made their decision, they won’t be able to use the website. On the upside, this is an unequivocal opt-in. By enforcing the opt-in when the page loads, you’ve left users in no doubt of the cookie usage. On the downside, this is a very intrusive way of gaining consent and being transparent is quite likely to increase the bounce-rate on your website. See analytics one month hence for evidence!
- A warning bar could be used in a similar way to a status bar and would appear every time the website tries to set a cookie. Users would simply accept or refuse the request within the warning bar and it’s quite likely that this sort of functionality will be incorporated into web browsers in the not too distant future. Just like the status bar, this is a less intrusive but potentially miss-able way of obtaining an opt-in.
If you are looking for a real-world example of implementation, then you could do worse than visit bt.com. They’ve devised a comprehensive, clear and concise system for obtaining opt-in and it’s a model that many websites could follow.
It goes without saying that the drive to improve online security and ensure the privacy of individuals is laudable and should be supported. But legislation which requires users to opt in to feature and functions they just expect to happen online, will potentially lead to them opting out of online activity through technological ignorance rather than a genuine decision to protect their data privacy.
In the short term this is unlikely to make the web a more user-friendly place and the smooth customer journeys that we’ve come to expect (particularly from e-tailers) could be damaged.
Ed Vaizey, Minister for Culture, Communications and Creative Industries has confirmed that the UK Government is liaising with browser manufacturers on how to improve browsers, increase the information available on cookies and make the job of managing cookies simpler and a lot more user-friendly. Also, as more and more people move away from desktop web-surfing and engage with online content through mobile devices without the use of a browser the need for internationally ratified privacy standards becomes apparent.
There’s a long way to go in understanding how this change will affect the web user's experience in the medium to long term, but these regulations are the law and compliance isn’t optional.