8 May 2011

The EU “Cookie law” is still unclear, despite UK Government advice

The Information Commissioner’s Office (ICO) has finally released some advice on how to interpret the EC’s new cookie laws. Despite the continued lack of clarity, it does look like there will have to be some improvements in the way we communicate how websites work to the people that use them.

The European Union have moved in response to privacy campaigners who have been concerned about the use of cookies in tracking web users. Advanced tracking techniques used in behavioural targeting are accused of being an invasion of privacy as users are not generally aware of that they are being monitored.

Ideally, a user should be told if their browsing behaviour is going to be tracked for marketing purposes. The issue is how to obtain permission from users without detracting from the user experience. After all, not all cookies involve an invasion of privacy – some cookies are necessary for the normal operation of a website and they can even be used to help secure personal information.

A series of changes have been made to The European Union’s Privacy and Electronic Communications Regulations that are due to come into force in late May. Governments have been slow to respond to them so there is a degree of confusion around what these changes really mean for websites.

We might have some guidelines but we don’t have clear guidance

The Information Commissioners Office has finally released some guidelines, though there are no details around enforcement as yet. This does not look like a draconian system of control as the advice recognises that cookies “perform a number of legitimate functions”. However, it does suggest that we will have to start putting more effort into explaining how what our websites are doing to users.

Previously, you were obliged to explain how you used cookies and give the user the opportunity to opt out. This was usually dealt with by publishing a privacy policy that included an “opt-out” feature. However, an amendment has been made to the rule covering the use of cookies stating explicitly that the user must explicitly “give his or her consent” to their use.

This does not necessarily cover every cookie though. The legislation allows for cookies to be exempted where they are regarded as “strictly necessary” for the operation of your website. This has to be limited to a small number of activities and related to the service requested by the user.

For example, a cookie that is used to track a shopping basket would appear to be exempt as it is being used to implement a service that a user has explicitly requested. Cookies are also used as a means of keeping a user logged in to a website – in this context they are actually being used to help keep a user’s personal information safe.

The ICO concentrate on those cookies that it regards as intrusive, but it is not that easy to determine when a cookie becomes a problem. For example, it does not seem to regard simple statistics packages that track unique page visitors as intrusive. On the other hand it explicitly states that building “detailed profiles of an individual’s browsing activity” is intrusive.

Given that it is very difficult to determine an absolute point at which cookies become intrusive, the ICO advice describes a “sliding scale”. You would be expected to concentrate your efforts to explain and do more to seek approval for cookies at the more intrusive end of this scale.

How should you get a user’s approval?

The other main area of confusion is over how you might be expected to get approval for cookies. The ICO advice is not very helpful here and states that it “does not intend to issue prescriptive lists on how to comply”.

A number of different methods are discussed – most of them terrifying to the average UX – including such delights as pop-ups and scrolling text. The EU directive suggests that a user’s browser settings could become a means of obtaining consent in the future, but the majority of browsers are not sophisticated enough to do this in a meaningful way yet and are unlikely to for a while.

The ICO is clear about what it expects website owners to do next. You should check what tracking technologies you are using, assess how intrusive they are and then decide how best to seek consent from users.

However, by talking in terms of a sliding scale and failing to offer any clear solutions, the advice does not equip people to make informed decisions. This risks creating panic among digital marketers or – worse still – will encourage people to ignore the legislation. After all, the ICO has yet to publish any details around how it plans to enforce the directive.

What is clear is that we will have to think more carefully about how our websites work and how we are explaining this to our users. The majority of sites are unlikely to be greatly affected by the directive. However, if you are going to used advanced behavioural targeting, then you’re probably going to have to start asking people nicely first.

Filed under Strategy, UI Development.