EU Privacy and Cookies: A Very Inconvenient Truth

If you operate online business in the EU, you’re likely aware (and scared stiff) of a revision of the EU's Privacy and Electronic Communications Directive that intended to protect users' privacy by requiring explicit consent before (most)* cookies can be placed on a computer or mobile device by a web property. This means that you must get permission to use cookies for site personalization, web analytics and ad targeting if you operate from any EU state.

*(Cookies that are essential to perform tasks the user has initiated, such as remembering what products have been added to cart in a session, are exceptions.)

Since permission must be obtained by interrupting a web visitor, we can safely expect that this will negatively impact web usability and a business’ ability to personalize their site and collect web analytics data. This is a major blow to European online businesses and consumers alike, reminiscent of mandated 3D Secure protocol for processing certain cards in certain countries.

While only 3 countries met the deadline of May 24, 2011 (Estonia, Denmark and the UK), each state is responsible for developing its own laws in compliance with the Directive. If you need a primer on the issue, Silktide has an entertaining (yes, entertaining!) and informative short video that sums up what the Directive is and what your options are if your business is located in the UK.

As explained in the video, there are 3 4 options for European business:

1. Do nothing (it’s better to ask for forgiveness than permission, except that you may pay dearly)
2. Don’t accept cookies
3. Ask for permission
4. Move

Reasonably, only the 3rd is a viable option for any serious business (though #4 is tempting, I hear Liechtenstein has some fantastic skiing), which means working towards compliance. The problem is, most EU nations have no law in place yet, and there are no clear guidelines for which cookies are acceptable and not.

We do, however, have some fuzzy guidelines from the ICO (Information Commissioner’s Office) - the UK’s information privacy cheerleader.

The ICO has put together a downloadable document that serves as a "starting point for getting compliant," rather than a definitive guide. There’s some good stuff in there that can be gleaned from by non-UK businesses in the EU. I will summarize the recommended action here:

Step 1: Perform a cookie audit

This could be either a comprehensive website audit, or simply a review of what cookies are used and what for, and removing any non-essential cookies.

Step 2: Decide how evil each cookie is

Plot your cookies on a continuum from non-invasive to privacy to very invasive. Cookies with no privacy impact include cookies that remember items added to cart, or a language/country selection. These are essential to your site functioning as the user wants. The more "evil" end of the scale includes cookies that are used for site personalization, analytics and advertising (e.g. Google Remarketing ads that follow users around the web for weeks).

The ICO suggests offering "more detailed choices" at the more intrusive side of the scale. This means more opportunities to opt out of cookies and essentially turn off features of your site. However, what intrusive means is very subjective. Certainly non-PII (personally identifiable information) used for web analytics can’t be that evil, right?

Since there is no rule for how to handle each type of cookie, and how intrusive a cookie is is subjective, the main point is that you’ve done something. From the document: "If the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice."

You have heard it said of old "it is better to ask for forgiveness than for permission." (No, that’s not from the Bible, I checked). Seems in this case, you may be forgiven for not going far enough so long as you have put your shoes on, or at least bought a pair of shoes in preparation for the journey.

Step 3: Figure out how to get consent

You have flexibility on how to gain permission, both through request format (e.g. through pop-up or accordion slider at the top of a page) and the wording of the prompt.

Note that you must ask for permission and explain the nature of each type of cookie, including disclosure when information may be shared with third parties. An example is when a user wishes to view an embedded product information video hosted on YouTube where YouTube sets a cookie to track engagement with the video, length of view, etc.

This means you will likely be asking for permission multiple times in one session, and that you must craft several prompt messages, depending on the cookie type and intended use.

While wordsmithing is important both for clarity and to reduce anxiety (and to keep visitors on board), never misrepresent the nature of your cookie in order to gain consent. "Any attempt to gain consent that relies on the users’ ignorance about what they are agreeing to is unlikely to be compliant."

When do you need to be compliant?

If you're in the UK, you have a grace period of one year to "get your house in order" before the ICO begins to lay the smackdown on infringing sites. Of course, non-compliance is an option, albeit a risky one. But if you plan on playing by the rules, I suggest you take advantage of the grace period in order to A/B test methods and messaging to minimize site abandonment once the requirements are set in stone. Next post we’ll explore techniques to do just that.

Looking for help with ecommerce? Contact the Elastic Path consulting team at consulting@elasticpath.com to learn how our ecommerce strategy and conversion optimization services can improve your business results.