EU Privacy and Cookies: A Very Inconvenient Truth

If you operate online business in the EU, you’re likely aware (and scared stiff) of a revision of the EU’s Privacy and Electronic Communications Directive that intended to protect users’ privacy by requiring explicit consent before (most)* cookies can be placed on a computer or mobile device by a web property. This means that you must get permission to use cookies for site personalization, web analytics and ad targeting if you operate from any EU state.

*(Cookies that are essential to perform tasks the user has initiated, such as remembering what products have been added to cart in a session, are exceptions.)

Since permission must be obtained by interrupting a web visitor, we can safely expect that this will negatively impact web usability and a business’ ability to personalize their site and collect web analytics data. This is a major blow to European online businesses and consumers alike, reminiscent of mandated 3D Secure protocol for processing certain cards in certain countries.

While only 3 countries met the deadline of May 24, 2011 (Estonia, Denmark and the UK), each state is responsible for developing its own laws in compliance with the Directive. If you need a primer on the issue, Silktide has an entertaining (yes, entertaining!) and informative short video that sums up what the Directive is and what your options are if your business is located in the UK.

As explained in the video, there are 3 4 options for European business:

1. Do nothing (it’s better to ask for forgiveness than permission, except that you may pay dearly)
2. Don’t accept cookies
3. Ask for permission
4. Move

Reasonably, only the 3rd is a viable option for any serious business (though #4 is tempting, I hear Liechtenstein has some fantastic skiing), which means working towards compliance. The problem is, most EU nations have no law in place yet, and there are no clear guidelines for which cookies are acceptable and not.

We do, however, have some fuzzy guidelines from the ICO (Information Commissioner’s Office) – the UK’s information privacy cheerleader.

The ICO has put together a downloadable document that serves as a “starting point for getting compliant,” rather than a definitive guide. There’s some good stuff in there that can be gleaned from by non-UK businesses in the EU. I will summarize the recommended action here:

Step 1: Perform a cookie audit

This could be either a comprehensive website audit, or simply a review of what cookies are used and what for, and removing any non-essential cookies.

Step 2: Decide how evil each cookie is

Plot your cookies on a continuum from non-invasive to privacy to very invasive. Cookies with no privacy impact include cookies that remember items added to cart, or a language/country selection. These are essential to your site functioning as the user wants. The more “evil” end of the scale includes cookies that are used for site personalization, analytics and advertising (e.g. Google Remarketing ads that follow users around the web for weeks).

The ICO suggests offering “more detailed choices” at the more intrusive side of the scale. This means more opportunities to opt out of cookies and essentially turn off features of your site. However, what intrusive means is very subjective. Certainly non-PII (personally identifiable information) used for web analytics can’t be that evil, right?

Since there is no rule for how to handle each type of cookie, and how intrusive a cookie is is subjective, the main point is that you’ve done something. From the document: “If the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.”

You have heard it said of old “it is better to ask for forgiveness than for permission.” (No, that’s not from the Bible, I checked). Seems in this case, you may be forgiven for not going far enough so long as you have put your shoes on, or at least bought a pair of shoes in preparation for the journey.

Step 3: Figure out how to get consent

You have flexibility on how to gain permission, both through request format (e.g. through pop-up or accordion slider at the top of a page) and the wording of the prompt.

Note that you must ask for permission and explain the nature of each type of cookie, including disclosure when information may be shared with third parties. An example is when a user wishes to view an embedded product information video hosted on YouTube where YouTube sets a cookie to track engagement with the video, length of view, etc.

This means you will likely be asking for permission multiple times in one session, and that you must craft several prompt messages, depending on the cookie type and intended use.

While wordsmithing is important both for clarity and to reduce anxiety (and to keep visitors on board), never misrepresent the nature of your cookie in order to gain consent. “Any attempt to gain consent that relies on the users’ ignorance about what they are agreeing to is unlikely to be compliant.”

When do you need to be compliant?

If you’re in the UK, you have a grace period of one year to “get your house in order” before the ICO begins to lay the smackdown on infringing sites. Of course, non-compliance is an option, albeit a risky one. But if you plan on playing by the rules, I suggest you take advantage of the grace period in order to A/B test methods and messaging to minimize site abandonment once the requirements are set in stone. Next post we’ll explore techniques to do just that.

Looking for help with ecommerce? Contact the Elastic Path consulting team at consulting@elasticpath.com to learn how our ecommerce strategy and conversion optimization services can improve your business results.

Related Articles

14 Responses to “EU Privacy and Cookies: A Very Inconvenient Truth”

  1. Andras says:

    Well written article – the cookie law is a shame. Fortuntely, there are some delays and transition periods which give rise to some hopes of revision. See for instance: http://www.bbc.co.uk/news/technology-13541250

  2. Option 5: You don’t need permission for cookies which are “strictly necessary for the provision of an information society service requested by the subscriber or user.” Most sites have one or more of these, e.g. to track the logon status of the current user. Use these cookies for tracking too.

    http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.ashx

  3. Why not use Do Not Track technologies to solve this issue? I think we can remedy some of the issues with smart technical solutions. They are not there yet, but they are already implemented in the browser. Now lets figure out what we can do with this tool. Perhaps we can achieve what they wanted to achieve without killing the stateful web

  4. Ben says:

    or, do what we did in the UK -

    5. do absolutely nothing until a few days before the law comes into effect then kick off in a big way telling the ICO what a stupid unworkable idea it is and that nobody is ready and we’ll all ignore it. The ICO gives in, kicks the can down the road for a year giving everyone time to do something about it. Now do absolutely nothing for 12 months. In 12 months – repeat as above…

  5. Don’t forget the flash cookies while auditing your site.

  6. Alex says:

    Ben has it spot on. Do nothing. So far, this has worked a treat in the UK, where the powers that be seem to appreciate that many of these EU directives impacting upon the e-commerce world are extremely “anti-business”. Luckily for us it appears that this results in ineffective enforcement and apparent willingness to listen to the people actually trying to operate businesses under the bizarre legislation.

  7. I think to suggest that the UK ‘powers that be’ backed down at the very last minute to protect UK businesses from silly EU rules is to give them way to much credit.

    More likely they just saw that there was no obvious technical solution and that virtually nobody was in compliance (including their own website until very shortly before the deadline), and decided they had zero chance of enforcing it. Combine that with the storm of enquiries they were probably getting and they probably just decided it was too much hassle (for themselves).

    The much more obvious solution is to do this at the browser level, and at the end of the day there’ll be some overall ‘dont ask me this again’ option that most people will choose because they get fed up with being asked everytime they visit a new site…

    • Fingers crossed that there is enough pushback to overturn this crazy thing. The ICO doc claims that the body is working with browsers for workable solutions, but the problems still remain that not every web visitor arrives through a browser (e.g. mobile apps) and most un-savvy folks who are the kind that are misinformed/scared of cookies are also the ones still running on IE5 or earlier ;) But at least that would spare a good chunk of your traffic from pop ups.

  8. Anonymous Coward says:

    Why is this change “a major blow to European online businesses and consumers alike”? As a consumer, I would LOVE to have legislation like this in the USA. As an eCommerce professional, I suppose I’d have to deal with…

    1. Site personalization… No problem. Store personalization information in our own database and require users to log in. This is more reliable and robust than a cookie. Not only that, but I can analyze my database.

    2. Web analytics… this could be handled by log analyzer programs like we did in the good old days. Unfortunately, the analytics vendors took lazy programming and software as a service to an extreme in creating the current popular Web analytics solutions.

    3. Ad targeting… except that this is an obnoxious practice and will hopefully start to fade as Do Not Track legislation becomes stronger and consumers become more educated.

    • Hi Anonymous, thanks for your comments.

      I do believe it’s an annoyance to consumers to have to opt in/out on every single site in the EU and perhaps multiple times on one site just to be able to use some site features, such as personalized recommendations without a log in or account creation, or a persistent cookie that remembers my previous searches, product views and what’s sitting in my cart. Personally, I don’t see what the privacy invasion is for web analytics or personalization. Retargeted advertising can make you feel like you’re always being stalked, but they’ve lumped way too many things in the pile.

      Linda

      Linda

    • Dymo King says:

      Really anon? As a consumer I would *hate* this. I visit lots of websites and the last thing I want is to see the same annoying pop-up or slide box or whatever on every single site I visit. That would get very annoying very fast.

      There is also the problem of how exactly the site is supposed to ‘remember’ if the user says no to the cookies – the traditional way would be to… um…. write a cookie with the visitors preference… but wait, they said they didn’t want any cookies… so if the website can’t find a ‘preference’ cookie how does it know if it’s a first time user or someone that’s visited 10 times before and keeps saying ‘no’ to cookies? doh!

      And what happens on an e-commerce site where some cookies are required for the shopping cart to operate. I know these will be allowed, but most e-commerce sites will still want to use google analytics or whatever so will have to ask the general question “do you want to accept cookies” – but if they say “no” because they don’t want to be tracked then they can’t use the site.

      Given that they’re on the e-commerce site in the first place we can assume that they do actually want to use the site, and therefore they *must* say “yes” to cookies – and that means they’ll be tracked even if they don’t want to be.

      So what will the consumer have gained exactly? Instead of being tracked without consent, they’ll be forced to consent. Not exactly a “win” for the consumer…

  9. Andy Dutson says:

    One other point. Even with explicit consent from the user, as with the ICO website as soon as the analytics cookies are loaded the visitor shows as being referred via the website as opposed to the search engine / any other source possible (this also loses keyword data as well). Here is the cookie showing the referrer data after visiting the ICO website from Google, accepting the cookies and checking the results:

    utmcsr=(direct)|utmcc​n=(direct)|utmcmd=(none);

    After accepting cookies form the ICO website and then going back to the site in exactly the same way you then get referrer details including keywords.

    utmcsr=google|utmccn=​(organic)|utmcmd=organic|utmctr=ico;

    To recap: even if new visitors invited you to their home for a nice roast dinner with cookie ice cream for dessert you will still not know anything about them until the acceptance has occurred and they have visited your website for a second time (all non PII info I may add).

  10. John Hyde says:

    Switzerland is not in the EU.

    Not sure about smaller places like the Isle of Man, Jersey, Liechtenstein.

    And if the Republic of Ireland doesn’t have a law yet then you could operate from there. Or France.

  11. Heikki says:

    Great article!

    Here’s something bigger – The Web 3.0 or “Semantic Web” relies heavily on interacting with the users current and past behaviour.

    Perhaps there are other ways to build a web that can work for the user, estimating their needs based on larger user behavior patterns, but cookies help a lot. This legislation stops the speed of innovation in this area.

Leave a Reply

© 2014 Get Elastic Ecommerce Blog. All rights reserved. Site Admin · Entries RSS · Comments RSS