Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Responses to the EU Privacy Directive

The UK implemented the EU Privacy Directive (often known as the ‘Cookies Directive’) and gave online service providers a year to work on their solutions before enforcing. That deadline passed on Saturday 26th May. Virtually all commercial websites (and many others) use cookies. Therefore virtually all websites you visit now should seek your consent to the continued use of cookies. A few are asking for permission, many are simply telling you, and some aren’t doing anything. So what’s going on?

It has been a hot topic, and a cause of many hours of heated discussions between corporate lawyers and technical teams, marketing teams and people like me – user experience designers.

We all care so much because cookies are part of what makes our online services feel smooth, personal, secure and even a little magical, and they provide businesses with invaluable data so that they can keep improving their services and respond to customer needs. They are also an important enabling technology which lets internet services work together to provide a joined up experience e.g. social media integration, and they fuel the industry which keeps many online services free for customers by making advertising more effective through targeting ads based on browsing behaviour.

What are cookies?
To backtrack a little, it’s worth describing what a cookie is. After all, part of the reason for the Directive was that people don’t know what they are, and the EU felt that they should so that they could be in control of their data.

A cookie is a simple text file, on your device, which your browser (or other online application) creates, updates or reads on the request of a website. You probably have hundreds of them. Because of the way the web works, web servers have no way of recognising visitors as they move from page to page, or return to the site in the future. As far as they are concerned, without cookies, they are serving pages, or elements in page, which bear no relation to previous pages or elements served.

Storing identifiers or data on the user’s device lets the website recognise and respond to the user. When Amazon says “Hello Meriel” and recommends books to me it is recognising me using a cookie. This is a persistent cookie as it remains so that they can recognise me again in the future. Other cookies are far more short lived (session cookies). These provide a way for information to be carried from one page to another such as data entered into a form. Cookies cannot harm your computer and don’t contain secure information such as passwords. In themselves they therefore constitute no threat to a user, and indeed many websites simply won’t function without them.

Why is the EU concerned about them?
The concerns are around privacy. You may have noticed that adverts seem to know what you might be interested in. I looked at mattress covers at a major UK retailer this week. This data was collected into an ad service cookie on my computer which the retailer had allowed – you could say I was tracked. Since then, a high proportion of the ads I see, on totally unrelated websites, are connected to bedding. This is powerful market information which I never gave my permission for the retailer (or the ad service) to collect, or for other sites to use (even though it was post deadline).

What have online service providers been doing?
So cookies are a technical solution which provides both user benefits and business benefits.
The team at Foolproof has worked closely with many of our financial services, retail and media clients to help them find the best solution which satisfies both the legal requirement, and the commercial and user needs. It has been an exercise in mediating multiple parties around a dynamic and complex challenge.

Businesses recognised that a requirement to seek explicit consent was potentially enormously damaging to their customers’ experience, their competitiveness and their revenue streams, so they wanted to err on the side of minimal solutions (hence the heated discussions with lawyers). In the absence of case law, we’ve focused on guidance issued by the ICO to work out how minimal the solutions could legally be. Our primary challenge has been that three versions of the guidance have been released in the past seven months – all with fundamental changes – the last of which was the day before the deadline.

Why are the solutions out there so varied?

  • Some organisations planned their solutions around previously issued guidance which stated that consent had to be explicit, e.g. a button click or tick box associated with clear information on cookie use.
  • Others decided to play the risk game a little and use an implied consent solution by showing a message, often fleetingly, and taking the user’s continued use of the site as consent. They reasoned that the risk to the business of providing a poor user experience was greater than the risk of enforcement from the ICO because they could demonstrate that users were being informed. It just so happens that the latest guidance from the ICO endorses implied consent, so the risk has paid off for the UK market (some other EU markets will not be so flexible).
  • Some organisations have chosen not to invest in implementing any solution, or making a commercially damaging solution live until they see what others have done and how the ICO responds. Many have solutions up their sleeves.
  • Others have simply done nothing. If this is where your organisation sits – you are at the greatest risk of being made an example of – but it’s not too late.

What if you‘ve done nothing?

  1. Don’t bury your head in the sand:  As a minimum, if you use cookies, provide a way for your users to find out how you use cookies and link to it from the landing page(s).
  2. Look at what others have done: Many providers are taking a ‘lite’ approach whilst they see what competitors are doing, and how the ICO enforces the law. If this is your preferred approach you need to balance the ‘liteness’ of your approach with the risk of non compliance.
  3. Understand what you use cookies for: Some will provide a user benefit, some a business benefit and some a technical benefit. You need to understand all three aspects. Generally, it’s the ones primarily for business benefit which are likely to be the most intrusive and therefore require particular attention.
  4. Use common sense: The law is vague and the guidance contradictory but all based on a desire to put people in control of their data to protect their privacy. So try to operate in the spirit of the law. If you use intrusive cookies, accept you need to be more explicit about gaining consent. If you don’t, then focus on providing information to reassure users and the ICO that you haven’t just stuck your head in the sand!
  5. Involve the right people: In defining your solution, don’t leave it to the legal department, or the technical department. Involve UX designers, such as Foolproof, who will be able to propose ways of making the information and consent usable.