Organisations that operate online should be well aware of the revision to the EU’s Privacy and Electronic Communication Directive. The changes dictate that “explicit consent” must be gathered from web users who are being tracked via “cookies“. This was supposed to come into effect on the 26th of May.
However, it appears that the Information Commissioner’s Office has decided not to enforce compliance for a year as long as you can prove you are taking steps to adhere to the directive.
Why has the directive been revised?
“The aim of the changes is to protect privacy and, in particular, limit how much use could be made of behavioural advertising. This form of marketing involves people being tracked across websites, with their behaviours used to create a profile that dictates the type of adverts they see.”
Irrespective of my personal opinions on the aims of this revision, the need for it or how it is enforced, we need to work out how we are going to respond. Yes, we’ve effectively got a year to do this but given the potential implications it’s well worth thinking about them now.
What do the revisions mean for me?
The revisions to the directive basically mean that you must now get permission to use cookies for ad targeting, web analytics and site personalisation. Thankfully cookies that are “strictly necessary for a service requested by the user” have been excluded. For example, when a user of your website has chosen the goods they wish to buy and clicks the “add to basket” or “proceed to checkout” button, it is acceptable for a cookie to be used to remember what they chose on previous pages. However, the exclusion would not apply, if you have decided that your website is more attractive if you remember your user’s preferences or if you decide to use a cookie to collect statistical information about the use of your website.
So to summarise, the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how to get your consent. Now that we’ve established that let’s look at the practicalities of complying.
How do I make sure we’re compliant?
With great difficulty it seems although the Information Commissioner’s Office (ICO) has released a “starting point for getting compliant” that recommends the following actions:
1. Perform a cookie audit
Review what cookies are in use and what they are used for. Identify which cookies are strictly necessary and might not need consent and remove any non-essential cookies.
2. Assess how intrusive your use of these cookies are
“Think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.”
Google Analytics and other web analytics providers/solutions are highly likely to be perceived as intrusive and so obtaining “explicit permission” will be required.
Another pain point will be dealing with third-party powered features such as AddThis or YouTube as you will need to make users aware of the fact they are using a third party website and point them to information on how the third party might use cookies and similar technologies.
3. Work out how to obtain consent
Once you know what cookies will require explicit consent, you need to think about the best method for gaining it. The more privacy intrusive your activity, the more you will need to do to get meaningful consent.
The ICO also offer some suggestions on how to obtain “explicit consent” such as:
- pop-ups, splash pages and similar techniques
- new account sign-up terms and conditions that include tick-box consent options for cookies in use
- existing account changes to terms and conditions that include tick-box consent options for accepting changes to the cookies in use
- settings-led consent where implications of a change to the cookies used are clearly explained
- feature-led consent where implications of a change to the cookies used are clearly explained
Should I bother with this now?
Some are suggesting there’s no point thinking about this given the grace period and the inevitable changes that are likely to occur in between now and then. Unfortunately I completely agree with the sentiment but the reality is that the need to think about compliance has just been delayed, it hasn’t disappeared.
Our plans for compliance
For now we’ll be focussing on steps 1 & 2 so that as and when we’re all given the inevitable update prior to the expiry of the grace period we can address our clients specific issues with compliance as quickly as possible. Even though we can see the value in testing methods and messaging now, we can’t force our clients to commit resources to this as there is a significant risk that all of this work could be wasted with a change to how the Directive is interpreted by the ICO.
Disclaimer: I am not a lawyer and have no legal training whatsoever so please don’t take anything stated in this post as legal advice.
References:
New net rules set to make cookies crumble