Cookie Law – how’s that going for you?

The Cookie Law changes came in effect on May 26, 2012 and doesn’t time fly when you’re having governance fun? As I review how the changes are being implemented I’m most struck by the breadth of interpretation by organisations.

Plus, see the 5 things you should be doing right now at the foot of this post.

The EU Regulations have been flexed for UK consumption (we’ve already been given an extra year to get ready) but from my perspective this just puts British companies on the back foot when it comes to enforcement.

Traditionally the law got its clout from precedent (testing it in the courts and coming up with case law that could be cited to both prosecute and defend).

But in this digital age regulations themselves are often subject to revised interpretation and evolving advice and are policed in such a way that only a few bits (eg the government’s High Court battle with ISPs over the Digital Economy Act) get as far as the courts.

Cookies – the breakdown

Okay, back to cookies. As small bits of code that sit on users computers, cookies are useful in helping us understand what users want by monitoring their computer interactivity with a website.

The aim  of the new regulations is to give users more control over what organisations can find out and the opportunity to decline or remove cookies from their machines. Fair enough. If somebody from Marks & Spencer started following me about the store with a clipboard and writing notes about where I went or how long I spent there I would take exception, particularly if they didn’t desist when asked.


From a governance perspective I’m looking for robust ways to demonstrate that ‘implied consent’ has been given by users. Organisations have to give users enough easy to understand and obvious to find information about cookies to make it reasonable to assume users have implied consent, because they continue to move around a website without taking any other action – such as removing cookies. Sorry, that was a bit of a mouthful.

According to the Information Commissioner’s Office (ICO), implied consent means your organisation needs to be satisfied (another woolly word) that your users understand that their actions will result in cookies being set and also:

  • in some circumstances, for example, where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Updating your privacy policy so that it is easy to understand and positioning links to it somewhere obvious to find is a step in the right direction.

I was involved in taking this approach on the Make it and Mend it website, pictured on the left. The Make it and Mend it Privacy and Cookie policy



Some organisations are more in your face about it. Such as the Financial Times pictured on the right.




And even though I’m not a limited company I’ve included advice about the approach I’ve personally taken in the In The Content Lab PRIACY/COOKIES on this site.

But how are you going to evidence how you decided (not assumed) the approach you took was the right one for you and your users? How are you monitoring effectiveness and aptness (alongside any changes in the interpretation of the underpinning regulation) on an ongoing basis.

Informed consent

If you’re going to understand implied consent it’s useful to understand informed consent. I like National Health Service definitions for this stuff. Implied consent is okay for some things and covers when someone doesn’t give written or express consent but does do something, for example, submits a completed questionnaire.

When it comes to more serious stuff you need informed consent, for example, giving someone full information about what a specific medical treatment involves, including the benefits and risks and then getting their consent in writing. Turning up for an appointment is not enough. I also looked at Canada’s anti-spam legislation (CASL) and the difference between Express (or Explicit) and Implied permission. Implied permission is what basically sits behind the current soft opt-in rule for email communication in the UK.

This left me with other questions. How ‘serious’ is the cookie issue? Is this fundamental to personal privacy even though the data isn’t personal as such? Is implied consent enough? How has my organisation satisfied itself on the implied consent question (or has it simply relied on the ICO or other bodies). How is my organisation demonstrating overall respect for user privacy in the way  it handles their data (identifiable or not)?

More unanswered questions

But there are more unanswered questions. For example, what about the real time auctioning of ad space? How can you tell users what cookies to expect in your privacy policy if the future ad space hasn’t been sold yet? Is it enough to tell users that this might be the case?

When legal firm Pannone looked at Cookie Law in early July it found a number of sites that were not compliant, including some global names and at least on UK government department. The full list is due to be published by The Drum on July 20, 2012. (An earlier KPMG survey was equally damning.)

And the picture is further complicated by the fact that some European countries are not complying – at all. In June it was revealed that the European Commission has filed a lawsuit against five EU nations about this.

The Latvian position

At the other end of the scale Latvia has apparently implemented a draconian version of the Cookie Law where users have to approve every cookie. My personal jury is still out on where the various country interpretations of the Cookie Law leaves organisations who operate across European geographic boundaries. Is it different if you have offices or subsidiaries in those countries? Does it matter where your website is physically based, servers etc? I’m not convinced the current advice on this is considered enough. These are just some of the things that keep me awake at night.

So, why should you bother and how should you bother?

At a top level let’s not lose sight of the pecuniary implications for getting it wrong. Site owners can be fined up to £500,000 for non-compliance. The ICO has said that its preference is for sending out notices rather than fining organisations, so long as they are making efforts towards compliance. Two words here – audit trail. Ooh and another one – evidence.

For those of you quietly humming “Catch me if you can” beware. Increasingly individuals are using online tools to take organisations to task for non-compliance in all sorts of areas. You only have to read the Advertising Standards Authority’s weekly adjudications to realise that. And although the ICO’s cookie concerns reporting tool is breathtakingly awful,  there are still people out there who will and are using it.

Secondly, doing the right and legal thing underpins your brand. Why should I trust the integrity of your product or service if you’re willing to cut corners elsewhere?

When it comes to the ‘how’, the first question you need to answer is: What types of cookies are used on your site? If you don’t what the cookie load is how can you decide how best to inform your users about them? Cookies basically fall into 4 types:

  • Session cookies – that last for a browser session and might include things like shopping basket contents.
  • Persistent cookies – which allow things like member preferences to be stored over the longer term. They may also be used to target advertising.
  • 1st party cookies – set by the website displayed in the URL window (that’d be you then).
  • 3rd party cookies – set by a domain other than the one being visited by the user. This would include Google cookies for analytics.

Then there is the question of how you inform. Obvious placement of your cookie and privacy policy links, as mentioned before, is one relatively straightforward option to apply. A lot of sites are using pop ups and and I have issues around the intrusive nature of this interface. Is this helpful or just interruptive? Is my organisation’s implied consent coming at the expense of irritated customers?

I’m also concerned that if users constantly have their browsing interrupted by variously worded cookie pop ups they may seek easier solutions. One option is the Do Not Track feature increasingly being offered by browsers. According to a Mozilla (Firefox) survey of 10,000+ Firefox users in 140 countries, 49% believed their privacy was respected more when Do Not Track was enabled. The survey also found users’ trust increased for browsers, publishers and advertisers who supported Do Not Track.

There is some question as to whether Microsoft’s IE 10 will ship with the “Do Not Track” turned on, as in the original spec – or off, which may reflect external pressure (some might argue).

5 things you should be doing right now…

  1. What are you currently doing?
  2. If the answer is ‘Nothing’ – get your act together.
  3. What’s the feedback, so far, on your current approach? (Assuming you didn’t answer ‘Nothing’ to 2.)
    • Any changes to page views etc?
    • Have you asked users what they think of your approach? This could be as simple as a 4Q survey.
    • And for goodness do some competitor and comparator work.
  4. Based on your answers to 3. should you make changes to your approach now?
    • These changes might affect how you ask for permission, or what you currently use cookies for.
    • If you answer ‘No’ to 4. – what are are you waiting for, exactly? The digital world is constantly evolving. If you’re not evolving with it, you’re a dinosaur.
  5. How much do you value the information you get from tracking with cookies? Gathering the data for data gathering sake is not enough.





How do you 'feel' about information

Do me a huge favour and complete this simple survey. It will only take a 5 minutes. Work your way through the questions in the order they’re presented (don’t you dare peak ahead). Let your intuition take over. Simply opt for the answers that comes closest to your own views. And always go with your first choice.

As with so much online – there is no right and wrong.

I’ll share my findings with you, so watch this space.

» Take the lab rats’ questionnaire

Have you just clicked through from our newsletter?

If the answer to the above question is ‘yes’, can I say ‘hi’ and thank you for popping in. Take a look around – you’ll find a list of past posts in the right hand column and you can also search our archive.

If you haven’t received a copy of CDA’s enewsletter, It’s Only Words, I suggest you sign up now.

We send it out 3 or 4 times a year and it contains useful information, best practice tips and free downloads of valueto anyone using online communication for business.

Sign up right now and get the latest edition, which speaks about the latest release of our new whitepaper on internet search. The findings impact on the way all businesses should go about creating effective (and profitable) web content.   You can  also download our whitepaper for free AND the latest research dealing with online  customer engagement.

Subscribe to It’s Only Words

Personas grata

The internet, the web, the online… thingy can be likened to a teenager. It’s all about peer pressure and fitting in. (I haven’t quite figured out what the internet equivalent of spots is yet, but I suspect it has something to do with your server eating 1-in-50 emails and visiting websites that want to dump 20 cookies on you before delivering up anything useful.)

Teenagers also have their own language and regularly adopt words in weird combinations in order to keep parents and other ancient adults out of the loop. Yep. Very much like the web then.

Which is why, frequently, you feel that every article, white paper and blog is running with a very limited vacabulary. Do you remember the early days when it was all ‘super highway’ this and ‘super highway’ that? It wasn’t that long ago that ‘the digital space’ became the synonym for online. If you’re you still using ‘the digital space’ I’d stop now if I were you. It’s so, like, yesterday.

So, where am I going with all this? Well, the big word is currently, in my humble opinion, ‘personas’. If you want to get down with the digital posse you need personas, brand personas, multiple personas… Your digital strategy isn’t worth doo doo unless you’ve got a few personas to back it up.

Don’t get me wrong. I love personas. CDA loves personas. In fact we’ve got a half day internal workshop about them tomorrow (which is why the subject is so front of mind). But personas are not a miracle cure. You can focus the mind wonderfully by using them but you have to ’employ’ them. It’s not enough to simply have personas on the payroll.

We always talk about your website being your most important and expensive employee. Your website probably costs more to maintain than your CEO but it would be cheap at twice the price.

How many people does you CEO meet in a year? How many times does he, or she, get to truly demonstrate what your brand is?

Your website is out there 24 hours every day, being reached by people all over the world. Hopefully it’s the living embodiment of your brand; demonstrating usefulness to everyone that comes into contact with it. If the previous description doesn’t sound like your organisation’s website, for goodness sake get a grip. You can’t have a rubbish website in the current economic climate.

Well personas should be right up there on the payroll. They should be getting great benefits packages, including top of the range medical insurance. They should have corner offices and every lunchtime the CEO should rush down to get them sushi from that great Japanese restaurant on the next block. Love your personas. But make them work hard.

If created well and treated with respect, personas bring the real world into your organisational netherspace. You can destil the key attributes of hundreds, thousands, millions of your most important users and prospects into a handful of personas. Give them names and faces. Create back stories. Breath life into them. And then AND THIS IS REALLY IMPORTANT – listen to what they have to say.

Next time the head of sales (or, even worse, the CEO) goes on a jag about why the current product brochure should be put on the web in its entirety, bring out Don who runs a 3 year old SME on the west coast and has been buying your products since he started. Don recently halved the number of staff in the warehouse and is moving over to JIT. He needs another brochure like he needs a hole in the head.

Or the head of marketing has become obsessed with social networks and wants the entire business promoted in a 3 minute flash movie on MySpace. Bring in Jodie, who was recently nominated for business woman of the year and has a pathological dislike of anything that’s just fallen off the back of bandwagon.

Personas visualise your users and put a pulse behind your empirical and statistical data. You can convene them in a nanosecond and unlike focus groups they don’t need sandwiches at lunchtime, or have their opinions hijacked by a retired SAS officer called Kevin.

But personas must be real. (Okay, they aren’t really real but go with me on this one.) Because personas are so popular agencies are conjuring them up like magician’s rabbits. Abracadabra! There’s your personas. All website ills magically cured. Not.

We’ve been working with personas and feel they only earn their keep if you’ve really worked them through the scenarios that touch your business. Run a few situations. Then run some more. Do your personas stand up? The process is a bit like Second Life but not quite so dorky. That’s really what tomorrow’s workshop is going to be about – working out permutations of personas, scenarios and online positions. Creating a virtual grid that mimics the big picture. This will act as both a test environment and also a way of defining persona work for clients. I’ll let you know how we get on.