cookie legistlation: changes and impact
TRANSCRIPT
8/6/2019 Cookie legistlation: changes and impact
http://slidepdf.com/reader/full/cookie-legistlation-changes-and-impact 1/3
Cookie LegislationChanges and Impact
There has been increasing press coverage in recent weeks concerning the impact of the impending EU e-privacy
Directive in the UK. From the 26th May this EU regulation passes into UK law, yet there is still confusion as to
what the requirements for Advertisers, Publishers and Technology providers will actually be.
So what is it?
The revised ePrivacy Directive is part of a broader piece of European legislation – the EU Electronic
Communications Framework - that comprises a total of five Directives and is required to be implemented intonational laws by 26th May 2011.
The revised ePrivacy Directive will amend the existing Directive, replacing the current ‘notice and opt out’provisions with a requirement to obtain consent for “the storing of information or the gaining of access toinformation stored in the terminal equipment of a subscriber or user… having been provided with clear and
comprehensive information”
This applies to all first and third party cookies but there is one exception for uses which are “strictly necessary” for
the service requested by the user. The Information Commissioners Office (ICO) has now defined what is meantby this exception in the UK;
“This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button,
your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity. This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary”
means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the use........The exception would not apply, for example, just because you
have decided that your website is more attractive if you remember users’ preferences or if you decide to use a
cookie to collect statistical information about the use of your website.”
What’s the confusion?
There are three parties responsible for the rollout of the legislation in the UK: the UK Government,
Information Commissioners Office (ICO) and Internet Advertising Bureau (IAB). Unfortunately there are quitecontradictory messages coming from all three.
Much of the confusion surrounding the revisions to the directive involves the notion of ‘informed consent’;providing sufficient information to consumers about how their data is captured in order for the consumer tomake an informed choice about whether they give permission to do so. With the ICO guidance that
confusion has only grown. The ICO references ‘prior consent’ (i.e. consent achieved before the ‘first’ cookie isdropped).
The UK Government response rejects a ‘prior consent’ approach. However, it does acknowledge the changefrom ‘notice and opt out’ to a system based upon ‘informed consent’ and that “the use of cookies that
underpin the use of shopping baskets on websites” will be exempt from this change. The UK Government
also states that it does not expect any of the proposed solutions to be in place by 26th May. Rather itproposes a “phased implementation” and that the ICO will not be expected to take enforcement action inthe interim.
8/6/2019 Cookie legistlation: changes and impact
http://slidepdf.com/reader/full/cookie-legistlation-changes-and-impact 2/3
Overall they are suggesting that browser level opt out with an industry drive towards consumer education
would be acceptable and the 26th May would be a soft launch. Meaning advertisers would need to donothing other than offer support to initiatives to educate consumers on the uses of cookies.
However, the ICO then released their long awaited guidance for advertisers and agencies on theimplementation of the ePrivacy Directive. Within this they state:
“One of the suggestions in the new Directive is that the user’s browser settings are one possible means to get user consent. In other words, if the user visits your website, you can identify that their browser is set up to allow cookies of types A, B and C but not of type D and as a result you can be confident that in setting A,
B and C you have his consent to do so. You would not set cookie D. At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which
use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”
This essentially removes the possibility of using browser level consent to drop a cookie. Advertisers will haveto seek consumer consent prior to dropping a cookie on their first visit to the advertiser’s website. So, the
ICO’s drive towards “prior consent” is contradicting the UK Government’s push for “informed consent” atbrowser level.
The two differing interpretations of the regulation have caused a lot of confusion within the UK internetadvertising industry. The IAB have released several statements around this confusion and how theguidelines should be interpreted and are working with the ICO and the UK Government to gain further
clarification.
Taking Action
In our experience there are a number of advertisers who have unnecessary cookies used on their website.
This can be for a number of reasons such as older cookies that have been superseded as a website hasevolved. We recommend using the rollout of this regulation as an opportunity to streamline your websitescookie structure; removing anything unnecessary and also understanding which ones are strictly vital. If youcarry out this exercise you will get a clear understanding of how you will need to adapt in order to comply
with this legislation or not.
Within the ICO compliance guidelines they have offered a number of options for compliance:
• Pops up and similar techniques Using pop ups or splash pages when users arrive on a site to gain consent, in a similar way to how
feedback questionnaires pop-up when you land on some websites.
• Terms and conditionsGaining user’s consent via T&C’s when they first sign-up or login to your online services.
• Settings-led consent Some cookies are deployed when a user makes a choice about how the site works for them. Inthese cases, consent could be gained as part of the process by which the user confirms what theywant to do or how they want the site to work.
• Feature-led consent When a user chooses to use a particular feature of the site such as watching a video clip or when the site
remembers what they have done on previous visits in order to personalise the content the user is served.In these cases, when a user opens a link or clicks a button, then you can ask for their consent to set a
cookie at this point.
8/6/2019 Cookie legistlation: changes and impact
http://slidepdf.com/reader/full/cookie-legistlation-changes-and-impact 3/3
Take time to understand how each one will impact a user’s journey on your website, focusing on finding the
one which will have the least negative impact on your website’s bounce rate.
Watch out for updates We’re expecting more will come in the near future from one or all of these three parties, in terms of updatesto the ICO’s guidance. Make sure to look out for this. We will be releasing updated advice as soon as wehear anything. If there is no update to the ICO’s guidance by the 26th May then it will be time to startimplementing your preferred option from the compliance options they have presented in their guidelines.
Get in touch For more information on how we can help your business comply with the new legislation call us on 0845130 0022, email us at [email protected] or visit www.bigmouthmedia.com. You can also follow uson Twitter: @bigmouthmedia.