EU Privacy Law

Cookie consent - May 2012 enforcement deadline is approaching, are you ready?

The new EU Privacy policy that came into effect in May 2011 was altogether a bit confusing and poorly defined in terms of what constitutes an infringement of user privacy and what constitutes an acceptable measure of warning and prevention on the website in question. So much so, that the UK Government extended the enforcement deadline until May 2012 to allow organizations and website owners time to consider how this legislation affects them and the best way of dealing with this in practice.

Now that the deadline is fast approaching, is your organization ready?

Do you really understand the implications of it and have you formulated a plan that meets the requirements in the eyes of the law?

There are different schools of thought on the subject. Some believe it's necessary to stem the abuse of user data being exploited by websites without the users' explicit consent; whilst others are actively campaigning against it and believe that in its current format it is unworkable and will seriously damage digital business.

The ICO (the Independent Commissioner's Office, who in the UK are responsible for providing guidance and enforce this law) has taken the view that anonymous web tracking and aggregate visitor data collected by web analytics tools such as Google Analytics, Webtrends and Omniture, are not allowed to do so without explicit consent of the visitor.

Our current interpretation of the directive and the measure of enforcement is that cookies that only keep state while the user interacts with the site do not come under the act and can effectively be ignored. A common example of this is the 'remember me' cookie which recognizes a returning user (who has previously registered or subscribed to access a website) and automatically logs them in - this constitutes explicit consent on the users' behalf because they have opted in to use this cookie.

So we only have to consider cookies which effectively identify the person as a specific individual and which could therefore be used to profile their activity whilst they remain anonymous - a common example of this would be advert targeting served by ad networks, whereby the ad network serves ads to various websites based on a user's anonymous browsing behaviour.

Clearly this is going to be a big problem for some site owners if they permit users to explore their sites without having consented as this would render useful functionality, such as targeted advertising, fairly useless and provide the site owner with huge gaps in their website data which would be meaningless to them.

There are different ways of presenting the opt-in/consent mechanisms on a website which range from overlay boxes (describing the use of cookies and an opt-in) on the first page of the user visit, to a permanent opt-in in the site masthead which gets displayed on every page of the site. There are pros and cons to both of these solutions, but either way it is the site owners' responsibility to complete an audit of each website they own and devise a strategy that is acceptable in the eyes of the UK Government; minimises disruption from a user experience perspective; and preserves a complete picture of web analytics data.

For more information about the EU Directive deadline or to discuss a site audit and implementation strategy
please contact us on 020 7766 9810 or info@abacusemedia.com

Further reading -

• EU Directive in full
• ICO's advice on the new regulations
• ICO's consent form example
• Industry views on the subject