We’ve had an extra year to comply, but hardly any companies seem to be ready yet
Hear that sound? That’s the thundering roar of thousands of keys being smashed, as small and medium sized businesses beg for their service providers to turn off cookies on their website or build in some opt-in and opt-out buttons/messages. In the case of some, this frantic technical request has long gone un-answered:
— COBRA (@cobrasupport) April 17, 2012
Unsure just what the E-Privacy Directive is? Going by official advice, it’s understandable that you might very well be. The Information Commissioner’s Office is responsible for enforcement in the UK, but their advice is not exactly thought leader material.
In fact their own attempt at compliance may leave some of their website visitors wondering:
What on earth is a cookie?
Should you want to know what the ICO’s cookies are, you’ll need to read their in-depth “privacy notice”, which again is hardly simplified in a manner for the people this legislation is meant to protect – those not savvy enough to set up their browsers to avoid cookies.
The following video explains the situation in a humorous and informative manner:
Considering that cookies outside of advertising are about improving the user experience on websites, you don’t really want to put people off going on to websites, but current suggestions for compliance seem anything but user-friendly. To some degree, it’s like asking a patient in a hospital to make a decision on a complex medical procedure and expecting them to be in full possession of the facts, which they could only truly be if they were a doctor.
There is some sensible advice out there
Recently, the International Chamber of Commerce in the UK released a guide on how to sensibly approach the matter of cookies. Of course, this doesn’t help if your site is provided through a third party and/or you have no control over the cookies, as demonstrated above.
Through the guide, the ICC lays down the notion that browser cookies come under four categories:
- Strictly necessary cookies
- Performance cookies
- Functionality cookies
- Targeting cookies or advertising cookies
Each category requires different wording when informing users of why your website uses them and the ICC suggests how to word permission requests.
A quick (probably) meaningless survey
With just over a month until websites operating in the UK need to comply, I decided to visit seven well known e-commerce sites to see if any were living up to the guidelines from the ICC or ICO.
Recently, The Register was able to get a rather “meaty” response from the Information Commissioner’s Office regarding how it expected organisations to comply:
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.
Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
So sites using ads really do need to comply. Taking into account that several of the seven sites I used for my quick survey use third party cookies for advertising and none asked for my consent to use them, there is still a severe lack of compliance taking place.
Those behind popular web browsers have also been looking into ways as to how to roll out easy-to-use forms of “Do Not Track“. These range from browser settings to plug-ins users can install. Yet again it relies on users understanding something that may be beyond their comprehension.
Personally, I get the feeling that those who do comply will start to see huge drops in traffic and there are plenty of sites out there that EU citizens enjoy for free, because there are ads on them.