Now that the EU ePrivacy Directive (known locally as the 2011 UK Privacy and Electronic Communications Regulations) enforcement date has passed, most digital marketers are breathing a considerable sigh of relief after the confusion and mixed messages of recent months. We’ve watched as the industry developed a number of educational and practical initiatives to help companies comply with the law. We’ve seen major players such as the BBC and Yahoo! setting out their stalls, the emergence of a range of companies offering end-to-end solutions, and advice from trade bodies and associations such as the IAB and DMA. With debates raging across the EU, as well as the varied examples from the industry, public and private sectors offering no clear solution, there has been understandable concern – and little clear, practical guidance on what we actually need to do.
So what’s changed? Well, it’s all down to a little last-minute addition called Implied Consent. This magical phrase has changed a seemingly impossible, illogical task into something altogether more sensible and achievable. For an overview of the law and pre-enforcement guidance, I highly recommend clicking over to this article first.
Consent & Confusion
The crux of the matter has been the legal requirement for ‘informed consent’, which could have potentially meant either explicitly provided, or implied through certain actions. The EU legislation upon which our law is based states:
“Consent shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
This is, on the face of it, a logical and worthy approach to consent. But the idea that consumers might need to proactively understand, review and approve or deny each cookie served on a site seemed ambitious to say the least. It could have been worse though! Luckily, an earlier grey area about whether consent is required before a cookie is set (ie prior consent) has been resolved by the ICO accepting that, as many websites set cookies on as soon as a visitor accesses the site, prior consent is unachievable in the main.
Regardless of the ambitious aims of the law, the December 2011 update from the Information Commissioners Office (ICO) stated that general consumer awareness of cookie was not sufficient enough for implied consent to be acceptable and there are some numbers to back this up. The IAB and ValueClick recently ran a survey to find out what consumers felt. Only 57% knew what a cookie was, but promisingly just under half are happy for advertising to be based on previous browsing activity, while 55% stated a preference for advertising relevant to their interests. (In fact, 61% felt that large portions of the internet could simply disappear without advertising and only 10% who would consider paying for content or services instead.)
The Implications of Implied Consent
Implied Consent, based on the ICO’s 25th May 2012 update (yes, just one day before the enforcement date!), is however now deemed a valid form of consent which can be used for compliance in many cases. It quite simply means that users, by their continued use of a site’s services for example, could be deemed to have accepted the use of cookies to collect data about them and their activity.
According to the Privacy Sense website:
“Implicit consent — also known as deemed or indirect consent — can mean two things:
- You voluntarily provide personal information for an organization to collect, use, or disclose for purposes that would be considered obvious at the time, or
- You provide personal information to an organization and it is used in a way that clearly benefits you and the organization’s expectations are reasonable.
Implied consent is usually inferred from your actions and the current circumstance you are in.”
How the Land Lies Now
Days before the enforcement date, 47% of UK marketers weren’t confident their consumer consent efforts would be deemed legal compliance (DMA & DataGuidance) while KPMG’s May 2012 representative survey of 55 major UK websites found that only 5% were compliant. Post enforcement, the percentage of compliant major sites and services rose to 20%, which is still a meagre figure considering this also looked at public sector and government sites.
Indeed, many UK businesses are still studiously ignoring the need for compliance and while this ‘wait and see’ approach is perhaps understandable due to the continually shifting landscape, complacency is not a viable option. You may be surprised, or perhaps comforted, to know that even some EU governmental sites are not following their own guidance, implied or indeed explicit. There has also been a reluctance amongst some EU members to implement the law, probably for the very same reason, but this has now resulted in a number of countries being taken to court for non-compliance. Belgium, the Netherlands, Poland, Portugal and Slovenia are now facing the possibility of having to pay daily fines of between £10,000 and £90,000 due to the fact they have not transcribed the EU directive into national law. The Netherlands may well avoid a fine though as it has just implemented the directive into local law with both explicit and prior consent requirements, for both first and third party cookies. While it will take some time to understand the full implications of this move, the potential commercial disadvantage could bring about an exodus of digital marketing companies (and their data centres) to other, less stringent locations in Europe.
Companies themselves can be fined up to £500,000 for non-compliance by the ICO, which has said that consumers are already contacting them to complain about sites that have not gained their permission to use cookies.
Good Practice Guidance
Regardless of how you gain consent, it is important for us all to understand that things have changed, and we need to evolve alongside. Consumers need to know what kind of information is being collected and why. Going back to the IAB / ValueClick survey mentioned above, only 19% of UK consumers do not take any action to manage their online privacy, 40% want easy access to information about the information gathered about them and nearly half want to control the kind of advertising they see online.
At its most basic, there are 4 clear stages to compliance:
- Audit your business and assess the categories of cookie according to intrusiveness.
- Engage with your partners and suppliers to ensure all their relevant information, procedures and policies are correct and up to date.
- Provide consumers with clear, signposted access to information, education and controls about the use of cookies.
- Keep evolving in line with both the law and your industry peers and keep records of your continued efforts.
We’ve been tracking the topic closely over the last year, and have much sympathy for those sites that endeavoured to implement explicit consent by adding pop-ups and restrictions to their services. While the majority sighed with relief at the ICO’s last-minute relaxation of the consent requirement, these companies will have rightly felt angry at the wasted time, energy and cost.
At Acquisio, we partner with The Trade Desk to provision the cookie-based tracking technology for our performance media platform, which has in turn taken a highly responsible approach to the issue. The Trade Desk is fully compliant with the AdChoices initiative, and uses the Trust-e service to deliver compliance. This results in all targeted advertising clearly showing a clickable AdChoices icon, which then expands to give extra information, and a link to further information and consumer-level controls. We are actively working with our clients and partners to ensure that our efforts are being communicated through to the consumers themselves and at the same time investigating ways in which we can provide consumers with the choice of opting out of all cookies set using tag container technology.
What the Future Holds
There can be no doubt that online privacy and the use of consumer data is an important topic. Regulators should be applauded for starting this important conversation and endeavouring to create balance and order in the sometimes chaotic digital world. But it is going to take time, and lots of it, for us all to identify, understand and implement the required information and controls, whether we are digital marketers, law makers or even industry bodies.
Depending on how things pan out over the next few months, the impact of this potential loss of data from which to tailor, target and track advertising could be challenging. The ICO’s own website lost 90% of analytical traffic data when it implemented an explicit consent policy and procedure and if this carries through to advertising data, we may well find ourselves, and our clients, being challenged once more to justify digital budgets. A key point to remember is that, despite its ‘cookie law’ moniker, this is not about cookies, it’s about online privacy and information. Therefore looking to identify and implement non-cookie based methods of tracking instead of implementing cookie consent measures will probably have a short shelf life.
The privacy movement is also continuing to gain momentum and the EU’s right to be forgotten, along with the proposed Do Not Track initiative due to be in place by the end of this year, will shift and shape the online privacy landscape further. Beyond this, there is a Do Not Collect initiative being mooted as the next stage of Do Not Track. This is a logical next step due to the core fallacy of the Do Not Track initiative in that it can only send a user’s preferences about tracking. Unless the site which the user is on has changed its code to facilitate that preference, data is still provided and it is down to each site and service as to how they interpret and act on the preference.
The global industry is endeavouring to self-regulate on this issue, which, considering the amount of confusion created by our own attempts at regulation by law, can only be a good thing. After all, we are the ones who understand and work within the already exacting parameters on a daily basis. By the time this article is published, a new raft of updates will undoubtedly have moved the debate further forwards. The EU is preparing updated guidelines for its member states delineating between different types of cookie and the consent they expect us to generate, while the ICO will undoubtedly be actively evolving its guidance, compliance and enforcement policies as things evolve further.
As responsible digital marketers, all we can do currently beyond implementing and activating the core compliance requirements is keep track of the developments, educate our partners and customers and continue to deliver compliant, commercially successful digital marketing technologies and campaigns.