After months of anticipation, conjecture and debate, the ePrivacy Directive finally became a reality in the UK on 26th May 2012. While users have continued to engage with sites using cookies and third-party trackers, there has been a significant shift in awareness of how their personal data is captured and used, and new expectations of online publishers to ‘do the right thing’, and be seen as more transparent, honest and respectful in their advertising practices.

Being privacy-proactive can have a strong direct impact on the commercial performance of a business. In a recent Toluna/Evidon survey amongst 1,000 respondents, almost half of those asked (48%) agreed they would have a higher propensity to purchase from transparent brands, and a large majority (61%) claimed it is important that companies tell them how they are collecting and using the information about them. These findings suggests that consumers have strong opinions about data practices, and are prepared to reward companies that behave responsibly and communicate proactively.

The onset of the new law has brought about a flurry of compliance activity from highly visible brands such as British Telecom, Barclays, the BBC and Nectar, and these technical advancements have helped pave the way for others to follow suit. Be clear – the grace period offered up by the UK’s Information Commissioner’s Office (ICO) has now expired, and all businesses deploying cookies and other tracking technologies for third-party behavioural advertising (and virtually any other ad-related purpose including analytics, optimisation and attribution) must now gain consumer consent before collecting or using their data.

The good news is that because others have got in early, creating informative overlays, ‘Cookie Consent’ icons and opt-out buttons, it’s now easier for others to emulate and establish their own compliance programmes that satisfy the demands of the Directive. For those yet to implement a consent model, here’s our three-step guide to becoming compliant:

1. Carry out a site audit as a priority

The ePrivacy Directive stipulates that consent must be specific to all involved parties, which means you must first know about all parties currently tracking users on your site; otherwise, your chosen consent method might transpire to be null and void. A comprehensive tracking audit is listed as the essential first step by both the ICO and French regulatory body, CNIL.

Once this process is complete, establish a mechanism whereby all tracking code on your sites – not just the cookies – are regularly monitored and audited. The Directive is misguidedly known as the ‘Cookie Law,’ but in fact covers all technologies used for tracking purposes. Get acquainted with page scripts, in addition to flash objects, cookies, and any other methods being used to track the user. The Directive applies to both first and third-party tracking, so your audit will need to encompass all of this.

2. Clarify your consent strategy

What happens next largely depends on the outcome of your audit and your own business model. It may also be influenced by your personal vision of the ideal consumer experience, and how far you’re prepared to go in adapting country by country to varying consent standards across the EU.

The majority of UK sites are deploying implied consent methods: inserting a link or tab at the foot of a page linking to a cookie policy is a solid first step, but it is ambiguous whether this action alone meets the legal definition of consent. Companies must clearly demonstrate that they are providing the user with sufficient information in advance so that they are aware that tracking is occurring and are satisfied that by continuing into the site they have given consent for this to happen.

Note if you’re operating in markets such as The Netherlands or France, where implied consent may be classed as insufficient, you will need to look at creating a more robust consent experience which forces the user into making a direct action in order to continue browsing a website.

3. Roll out the changes

Now is the time to bring in your IT department to roll out the system, which will put your strategy into action. A robust solution should comprise of three principal components:

Revised page designs: Visual overlays that communicate in an instant that tracking is taking place using cookies and related technologies, and which offer a link to opt out, is an increasingly popular practice. Remember that these tools should include immediate disclosure of the specific companies that could be tracking the visitor to your site.

An opt-out mechanism: Simply providing a notice of tracking activity does not qualify as having achieved implied consent. Sites must integrate an opt-out mechanism that allows a visitor to withdraw consent completely from the non-essential first- and third-party trackers on your site. This is becoming more of an issue for today’s switched-on consumer.

Ongoing management: Only those sites with no third-party ad activity, minimal tracking activity overall, or a specific audience limited to one European country would be able to get away with a static consent implementation. The reality is that your new consent tool must be refreshed over time to reflect the dynamic tracking activity taking place on your site.

When it all seems like too much hard work, remember never to underestimate the value that increased trust and better consumer relationships will bring to your business. In today’s cynical world, that kind of exchange is priceless.

Colin O'Malley

Colin O'Malley

Contributor


Colin is Evidon's Chief Strategy Officer, with responsibility for product strategy and regulatory outreach.