There’s a lot of debate about the new EU cookie laws and how they’ll affect online businesses based in the EU. If you’re not convinced that the new cookie laws will have any impact on how you use the internet, try this: in Firefox, open “Tools”, click on “Options” and then click on the “Privacy” menu item. Then select “Use custom settings for history” from the drop-down menu and uncheck the box labelled “Accept cookies from sites”. Then simply visit your favourite sites, such as Amazon, eBay or Facebook, and try using them. After a few minutes of being bombarded with annoying popup notices begging you to accept the website’s cookies, you’ll probably experience an uncontrollable urge to dispose of your computer out the nearest window.
The reason for this looming assault on user accessibility is the persistent abuse by many companies of behavioural targeting and advertising cookies, which in recent years has begun to spiral out of control. As a result, in May this year, the Information Commissioner’s Office (ICO) announced plans to implement legislation that would have a massive impact on all online businesses in the UK. The new EU cookie laws would effectively force all UK sites to obtain the “informed consent” of their users before they could legally collect any form of personal data. The implications of failing to comply would be enormous; businesses would risk fines of up to £500,000, as well as equally costly damage to their reputations.
Alarmed by the lack of preparedness of British industry, the government managed to negotiate a 12-month “lead-in period” to give UK businesses time to adapt to the new cookie laws. We’re now midway through that period, and the information commissioner – the guy who’ll have to enforce the new rules – has just issued a half-term report on how things are progressing. Unsurprisingly, his verdict “can be summed up by the schoolteacher’s favourite clichés: ‘could do better’ and ‘must try harder’. A report that listed the URLs of sites that were perfectly compliant from day one would be very short indeed. This is not a surprise to anyone who recognises that redeveloping and redesigning websites is no easy task”.
With the impending deadline now on 24th May 2012, the lack of clarity about the cookie laws is disconcerting to say the least. The ICO’s own website (www.ico.gov.uk) witnessed a dramatic 90% drop in visitor numbers after the EU cookie laws were implemented, which demonstrates just how damaging the new legislation could prove to be. Furthermore, if the new cookie laws are not understood and implemented correctly, they could also have an extremely detrimental effect on the UK economy if governing bodies such as the ICO begin imposing tough financial penalties on companies that are in breach of the regulations.
Many were expecting (and hoping for) a legal loophole of some kind to exploit, but the regulations proposed will be more stringent than ever imagined. If every site followed the cookie laws set out in the ICO’s lengthy document and had to gain the informed consent of all users before setting any cookies, collecting personal data would be the least of its problems; attracting visitors and retaining customers – already a major challenge – would become virtually impossible.
This shift towards safeguarding the privacy of consumers is a global phenomenon with, it seems, unstoppable momentum, so working towards full compliance with the EU cookie laws will not only prevent websites from incurring potentially crippling financial penalties, but will also go a long way towards helping to establish enduring, trusted relationships between online businesses and their customers. Organisations need to find the right balance between enticing visitors to their website and remaining compliant with the various rules and regulations set out in the pending EU cookie laws.
The ICO’s own website provides a good starting point for website operators to understand exactly what personal data and cookies they’re collecting from, or storing on, customers’ devices. Once this has been established, site operators will be in a position to determine whether the personal data they’re collecting is essential to the business, and will be able to filter out any data that could be construed as being intrusive to their customers’ privacy. This approach to data collection would enable website operators to create a detailed plan for obtaining informed consent to collect the data that they believe is fundamental to the business, and identifying the areas where data collection may not be as important.
The next step along the road to compliance is to ensure that visitors to the website are aware of what personal data is being obtained, and why the data is being collected. However, as evidenced by the dramatic drop in visitor numbers experienced by the ICO’s own site, it’s crucial that users are not made to feel alienated by plastering the site with warning notices, or bombarding them with endless requests to opt in to, or allow, every minor feature on the website. Typically, the purpose of this data collection is to enhance the visitor’s experience while browsing the website, such as providing relevant content or offering a free service. Once this has been explained, it should’t prove to be too difficult to convince them that the site isn’t attempting to exploit their privacy, and as a result they’ll probably agree to the collection and usage of certain data.
A random survey of some prominent websites reveals that their owners haven’t yet appreciated what the new cookie laws require. Most information about cookies is buried in a privacy policy page and explains that the company makes use of cookies before going on to say that if the user declines to accept cookies, the company “cannot guarantee that your experience with the site will be as quick or responsive as if you do accept cookies”. If this is what the vast majority of British companies regard as seeking the informed consent of users, then they have a nasty shock coming. And the information commissioner is going to be busy enforcing cookie laws from next June onwards.