It has been a hot topic, and a cause of many hours of heated discussions between corporate lawyers and technical teams, marketing teams and people like me – user experience designers.
What are cookies?
To backtrack a little, it’s worth describing what a cookie is. After all, part of the reason for the Directive was that people don’t know what they are, and the EU felt that they should so that they could be in control of their data.
A cookie is a simple text file, on your device, which your browser (or other online application) creates, updates or reads on the request of a website. You probably have hundreds of them. Because of the way the web works, web servers have no way of recognising visitors as they move from page to page, or return to the site in the future. As far as they are concerned, without cookies, they are serving pages, or elements in page, which bear no relation to previous pages or elements served.
Storing identifiers or data on the user’s device lets the website recognise and respond to the user. When Amazon says “Hello Meriel” and recommends books to me it is recognising me using a cookie. This is a persistent cookie as it remains so that they can recognise me again in the future. Other cookies are far more short lived (session cookies). These provide a way for information to be carried from one page to another such as data entered into a form. Cookies cannot harm your computer and don’t contain secure information such as passwords. In themselves they therefore constitute no threat to a user, and indeed many websites simply won’t function without them.
Why is the EU concerned about them?
The concerns are around privacy. You may have noticed that adverts seem to know what you might be interested in. I looked at mattress covers at a major UK retailer this week. This data was collected into an ad service cookie on my computer which the retailer had allowed – you could say I was tracked. Since then, a high proportion of the ads I see, on totally unrelated websites, are connected to bedding. This is powerful market information which I never gave my permission for the retailer (or the ad service) to collect, or for other sites to use (even though it was post deadline).
What have online service providers been doing?
So cookies are a technical solution which provides both user benefits and business benefits.
The team at Foolproof has worked closely with many of our financial services, retail and media clients to help them find the best solution which satisfies both the legal requirement, and the commercial and user needs. It has been an exercise in mediating multiple parties around a dynamic and complex challenge.
Businesses recognised that a requirement to seek explicit consent was potentially enormously damaging to their customers’ experience, their competitiveness and their revenue streams, so they wanted to err on the side of minimal solutions (hence the heated discussions with lawyers). In the absence of case law, we’ve focused on guidance issued by the ICO to work out how minimal the solutions could legally be. Our primary challenge has been that three versions of the guidance have been released in the past seven months – all with fundamental changes – the last of which was the day before the deadline.
Why are the solutions out there so varied?
- Some organisations planned their solutions around previously issued guidance which stated that consent had to be explicit, e.g. a button click or tick box associated with clear information on cookie use.
- Others decided to play the risk game a little and use an implied consent solution by showing a message, often fleetingly, and taking the user’s continued use of the site as consent. They reasoned that the risk to the business of providing a poor user experience was greater than the risk of enforcement from the ICO because they could demonstrate that users were being informed. It just so happens that the latest guidance from the ICO endorses implied consent, so the risk has paid off for the UK market (some other EU markets will not be so flexible).
- Some organisations have chosen not to invest in implementing any solution, or making a commercially damaging solution live until they see what others have done and how the ICO responds. Many have solutions up their sleeves.
- Others have simply done nothing. If this is where your organisation sits – you are at the greatest risk of being made an example of – but it’s not too late.
What if you‘ve done nothing?
- Look at what others have done: Many providers are taking a ‘lite’ approach whilst they see what competitors are doing, and how the ICO enforces the law. If this is your preferred approach you need to balance the ‘liteness’ of your approach with the risk of non compliance.
- Use common sense: The law is vague and the guidance contradictory but all based on a desire to put people in control of their data to protect their privacy. So try to operate in the spirit of the law. If you use intrusive cookies, accept you need to be more explicit about gaining consent. If you don’t, then focus on providing information to reassure users and the ICO that you haven’t just stuck your head in the sand!
- Involve the right people: In defining your solution, don’t leave it to the legal department, or the technical department. Involve UX designers, such as Foolproof, who will be able to propose ways of making the information and consent usable.