GBAF Logo
Ceramic adhesives market growth trends and projections - Global Banking & Finance Review
An insightful representation of the ceramic adhesives market, highlighting projected growth and trends across key sectors like construction and healthcare, as discussed in the article.
Top Stories

Responses to the EU Privacy Directive

Published by Gbaf News

Posted on June 7, 2012

13 min read

· Last updated: August 18, 2013

Add as preferred source on Google
Digital banking fintech privacy Regulation

Implementation of the EU Privacy Directive in the UK

The UK implemented the EU Privacy Directive (often known as the ‘Cookies Directive’) and gave online service providers a year to work on their solutions before enforcing. That deadline passed on Saturday 26th May. Virtually all commercial websites (and many others) use cookies. Therefore virtually all websites you visit now should seek your consent to the continued use of cookies. A few are asking for permission, many are simply telling you, and some aren’t doing anything. So what’s going on?

It has been a hot topic, and a cause of many hours of heated discussions between corporate lawyers and technical teams, marketing teams and people like me – user experience designers.

We all care so much because cookies are part of what makes our online services feel smooth, personal, secure and even a little magical, and they provide businesses with invaluable data so that they can keep improving their services and respond to customer needs. They are also an important enabling technology which lets internet services work together to provide a joined up experience e.g. social media integration, and they fuel the industry which keeps many online services free for customers by making advertising more effective through targeting ads based on browsing behaviour.

Understanding Cookies and Their Purpose

What are cookies?
To backtrack a little, it’s worth describing what a cookie is. After all, part of the reason for the Directive was that people don’t know what they are, and the EU felt that they should so that they could be in control of their data.

A cookie is a simple text file, on your device, which your browser (or other online application) creates, updates or reads on the request of a website. You probably have hundreds of them. Because of the way the web works, web servers have no way of recognising visitors as they move from page to page, or return to the site in the future. As far as they are concerned, without cookies, they are serving pages, or elements in page, which bear no relation to previous pages or elements served.

Storing identifiers or data on the user’s device lets the website recognise and respond to the user. When Amazon says “Hello Meriel” and recommends books to me it is recognising me using a cookie. This is a persistent cookie as it remains so that they can recognise me again in the future. Other cookies are far more short lived (session cookies). These provide a way for information to be carried from one page to another such as data entered into a form. Cookies cannot harm your computer and don’t contain secure information such as passwords. In themselves they therefore constitute no threat to a user, and indeed many websites simply won’t function without them.

Privacy Concerns Driving the Directive

Why is the EU concerned about them?
The concerns are around privacy. You may have noticed that adverts seem to know what you might be interested in. I looked at mattress covers at a major UK retailer this week. This data was collected into an ad service cookie on my computer which the retailer had allowed – you could say I was tracked. Since then, a high proportion of the ads I see, on totally unrelated websites, are connected to bedding. This is powerful market information which I never gave my permission for the retailer (or the ad service) to collect, or for other sites to use (even though it was post deadline).

How Online Service Providers Have Responded

What have online service providers been doing?
So cookies are a technical solution which provides both user benefits and business benefits.
The team at Foolproof has worked closely with many of our financial services, retail and media clients to help them find the best solution which satisfies both the legal requirement, and the commercial and user needs. It has been an exercise in mediating multiple parties around a dynamic and complex challenge.

Businesses recognised that a requirement to seek explicit consent was potentially enormously damaging to their customers’ experience, their competitiveness and their revenue streams, so they wanted to err on the side of minimal solutions (hence the heated discussions with lawyers). In the absence of case law, we’ve focused on guidance issued by the ICO to work out how minimal the solutions could legally be. Our primary challenge has been that three versions of the guidance have been released in the past seven months – all with fundamental changes – the last of which was the day before the deadline.

Reasons for Diverse Compliance Approaches

Why are the solutions out there so varied?

  • Some organisations planned their solutions around previously issued guidance which stated that consent had to be explicit, e.g. a button click or tick box associated with clear information on cookie use.
  • Others decided to play the risk game a little and use an implied consent solution by showing a message, often fleetingly, and taking the user’s continued use of the site as consent. They reasoned that the risk to the business of providing a poor user experience was greater than the risk of enforcement from the ICO because they could demonstrate that users were being informed. It just so happens that the latest guidance from the ICO endorses implied consent, so the risk has paid off for the UK market (some other EU markets will not be so flexible).
  • Some organisations have chosen not to invest in implementing any solution, or making a commercially damaging solution live until they see what others have done and how the ICO responds. Many have solutions up their sleeves.
  • Others have simply done nothing. If this is where your organisation sits – you are at the greatest risk of being made an example of – but it’s not too late.

Implications for Non-Compliance with the Directive


What if you‘ve done nothing?

  1. Don’t bury your head in the sand:  As a minimum, if you use cookies, provide a way for your users to find out how you use cookies and link to it from the landing page(s).
  2. Look at what others have done: Many providers are taking a ‘lite’ approach whilst they see what competitors are doing, and how the ICO enforces the law. If this is your preferred approach you need to balance the ‘liteness’ of your approach with the risk of non compliance.
  3. Understand what you use cookies for: Some will provide a user benefit, some a business benefit and some a technical benefit. You need to understand all three aspects. Generally, it’s the ones primarily for business benefit which are likely to be the most intrusive and therefore require particular attention.
  4. Use common sense: The law is vague and the guidance contradictory but all based on a desire to put people in control of their data to protect their privacy. So try to operate in the spirit of the law. If you use intrusive cookies, accept you need to be more explicit about gaining consent. If you don’t, then focus on providing information to reassure users and the ICO that you haven’t just stuck your head in the sand!
  5. Involve the right people: In defining your solution, don’t leave it to the legal department, or the technical department. Involve UX designers, such as Foolproof, who will be able to propose ways of making the information and consent usable.

The UK implemented the EU Privacy Directive (often known as the ‘Cookies Directive’) and gave online service providers a year to work on their solutions before enforcing. That deadline passed on Saturday 26th May. Virtually all commercial websites (and many others) use cookies. Therefore virtually all websites you visit now should seek your consent to the continued use of cookies. A few are asking for permission, many are simply telling you, and some aren’t doing anything. So what’s going on?

It has been a hot topic, and a cause of many hours of heated discussions between corporate lawyers and technical teams, marketing teams and people like me – user experience designers.

We all care so much because cookies are part of what makes our online services feel smooth, personal, secure and even a little magical, and they provide businesses with invaluable data so that they can keep improving their services and respond to customer needs. They are also an important enabling technology which lets internet services work together to provide a joined up experience e.g. social media integration, and they fuel the industry which keeps many online services free for customers by making advertising more effective through targeting ads based on browsing behaviour.

What are cookies?
To backtrack a little, it’s worth describing what a cookie is. After all, part of the reason for the Directive was that people don’t know what they are, and the EU felt that they should so that they could be in control of their data.

A cookie is a simple text file, on your device, which your browser (or other online application) creates, updates or reads on the request of a website. You probably have hundreds of them. Because of the way the web works, web servers have no way of recognising visitors as they move from page to page, or return to the site in the future. As far as they are concerned, without cookies, they are serving pages, or elements in page, which bear no relation to previous pages or elements served.

Storing identifiers or data on the user’s device lets the website recognise and respond to the user. When Amazon says “Hello Meriel” and recommends books to me it is recognising me using a cookie. This is a persistent cookie as it remains so that they can recognise me again in the future. Other cookies are far more short lived (session cookies). These provide a way for information to be carried from one page to another such as data entered into a form. Cookies cannot harm your computer and don’t contain secure information such as passwords. In themselves they therefore constitute no threat to a user, and indeed many websites simply won’t function without them.

Why is the EU concerned about them?
The concerns are around privacy. You may have noticed that adverts seem to know what you might be interested in. I looked at mattress covers at a major UK retailer this week. This data was collected into an ad service cookie on my computer which the retailer had allowed – you could say I was tracked. Since then, a high proportion of the ads I see, on totally unrelated websites, are connected to bedding. This is powerful market information which I never gave my permission for the retailer (or the ad service) to collect, or for other sites to use (even though it was post deadline).

What have online service providers been doing?
So cookies are a technical solution which provides both user benefits and business benefits.
The team at Foolproof has worked closely with many of our financial services, retail and media clients to help them find the best solution which satisfies both the legal requirement, and the commercial and user needs. It has been an exercise in mediating multiple parties around a dynamic and complex challenge.

Businesses recognised that a requirement to seek explicit consent was potentially enormously damaging to their customers’ experience, their competitiveness and their revenue streams, so they wanted to err on the side of minimal solutions (hence the heated discussions with lawyers). In the absence of case law, we’ve focused on guidance issued by the ICO to work out how minimal the solutions could legally be. Our primary challenge has been that three versions of the guidance have been released in the past seven months – all with fundamental changes – the last of which was the day before the deadline.

Why are the solutions out there so varied?

  • Some organisations planned their solutions around previously issued guidance which stated that consent had to be explicit, e.g. a button click or tick box associated with clear information on cookie use.
  • Others decided to play the risk game a little and use an implied consent solution by showing a message, often fleetingly, and taking the user’s continued use of the site as consent. They reasoned that the risk to the business of providing a poor user experience was greater than the risk of enforcement from the ICO because they could demonstrate that users were being informed. It just so happens that the latest guidance from the ICO endorses implied consent, so the risk has paid off for the UK market (some other EU markets will not be so flexible).
  • Some organisations have chosen not to invest in implementing any solution, or making a commercially damaging solution live until they see what others have done and how the ICO responds. Many have solutions up their sleeves.
  • Others have simply done nothing. If this is where your organisation sits – you are at the greatest risk of being made an example of – but it’s not too late.


What if you‘ve done nothing?

  1. Don’t bury your head in the sand:  As a minimum, if you use cookies, provide a way for your users to find out how you use cookies and link to it from the landing page(s).
  2. Look at what others have done: Many providers are taking a ‘lite’ approach whilst they see what competitors are doing, and how the ICO enforces the law. If this is your preferred approach you need to balance the ‘liteness’ of your approach with the risk of non compliance.
  3. Understand what you use cookies for: Some will provide a user benefit, some a business benefit and some a technical benefit. You need to understand all three aspects. Generally, it’s the ones primarily for business benefit which are likely to be the most intrusive and therefore require particular attention.
  4. Use common sense: The law is vague and the guidance contradictory but all based on a desire to put people in control of their data to protect their privacy. So try to operate in the spirit of the law. If you use intrusive cookies, accept you need to be more explicit about gaining consent. If you don’t, then focus on providing information to reassure users and the ICO that you haven’t just stuck your head in the sand!
  5. Involve the right people: In defining your solution, don’t leave it to the legal department, or the technical department. Involve UX designers, such as Foolproof, who will be able to propose ways of making the information and consent usable.

Key Takeaways

  • UK implemented the EU Cookies Directive on 26 May 2011, with a one‑year grace period before enforcement began on 26 May 2012.
  • Post‑deadline, website operators must obtain informed user consent for non‑essential cookies, unless strictly necessary.
  • Compliance sparked coordination between legal, technical, marketing, and UX teams to balance regulatory, business, and user needs.
  • Information Commissioner’s Office (ICO) began phased enforcement, generally taking a pragmatic approach and targeting non‑compliant sites after a complaint.
  • Consent methods vary: consent banners, implied consent via settings, or minimal notices depending on cookie types and necessity.

References

Frequently Asked Questions

When did the UK start enforcing cookie consent rules?
Enforcement began on 26 May 2012, after a one‑year grace period following the UK’s implementation on 26 May 2011.
What cookies require user consent?
All non‑essential cookies require prior informed consent; only strictly necessary cookies (needed for requested services) are exempt.
How does the ICO enforce the directive?
The ICO generally takes a pragmatic, phased approach—initially contacting non‑compliant organizations for explanations before moving to enforcement.
What options do businesses use to obtain consent?
Many use banners or notices seeking explicit consent; in some cases, implied consent via browser settings is accepted by the ICO.

Tags

Related Articles

Image for Why Curiosity Is the Hidden Engine Behind Every Big Idea

Why Curiosity Is the Hidden Engine Behind Every Big Idea

Image for The Silent Shift Reshaping Global Finance

The Silent Shift Reshaping Global Finance

Image for The Invisible Forces Rewiring Global Finance—And Why the Shift Is Already Underway

The Invisible Forces Rewiring Global Finance—And Why the Shift Is Already Underway

Image for The Global Finance Reset No One Is Talking About—But Everyone Is Feeling

The Global Finance Reset No One Is Talking About—But Everyone Is Feeling

Image for The Financial Trend Hiding in Plain Sight—Why Everything Feels the Same, But Isn’t

The Financial Trend Hiding in Plain Sight—Why Everything Feels the Same, But Isn’t

Image for The Financial System’s New Rhythm—Why Change Is Happening Without Disruption

The Financial System’s New Rhythm—Why Change Is Happening Without Disruption

More from Top Stories

Explore more articles in the Top Stories category

Image for The Subtle Forces Reshaping Global Finance—And Why They Matter Now
The Subtle Forces Reshaping Global Finance—And Why They Matter Now
Image for The Quiet Realignment of Global Finance—Why the System Is Changing Without a Shock
The Quiet Realignment of Global Finance—Why the System Is Changing Without a Shock
Image for The Global Financial Shift That Feels Small—But Is Changing Everything
The Global Financial Shift That Feels Small—But Is Changing Everything
Image for The Financial System’s Invisible Pivot—Why the Biggest Changes Don’t Make Headlines
The Financial System’s Invisible Pivot—Why the Biggest Changes Don’t Make Headlines
Image for Why Global Supply Chains Are Becoming Smarter, Faster, and More Resilient
Why Global Supply Chains Are Becoming Smarter, Faster, and More Resilient
Image for Why Workforce Agility Is Becoming Critical in the Future of Work
Why Workforce Agility Is Becoming Critical in the Future of Work
Image for Why Global Trade Is Entering a New Era of Resilience and Reinvention
Why Global Trade Is Entering a New Era of Resilience and Reinvention
Image for Why Cybersecurity Is Becoming a Core Business Priority in the Digital Economy
Why Cybersecurity Is Becoming a Core Business Priority in the Digital Economy
Image for Why Data-Driven Decision-Making Is Becoming the Backbone of Modern Business Strategy
Why Data-Driven Decision-Making Is Becoming the Backbone of Modern Business Strategy
Image for How Real-Time Data Is Redefining Decision-Making in the Digital Economy
How Real-Time Data Is Redefining Decision-Making in the Digital Economy
Image for Why Cash Flow Visibility Is Becoming the Most Critical Metric for Business Survival
Why Cash Flow Visibility Is Becoming the Most Critical Metric for Business Survival
Image for How Digital Payments Are Redefining the Speed and Scale of Global Commerce
How Digital Payments Are Redefining the Speed and Scale of Global Commerce
View All Top Stories Posts