Cookie Law – how’s that going for you?

The Cookie Law changes came in effect on May 26, 2012 and doesn’t time fly when you’re having governance fun? As I review how the changes are being implemented I’m most struck by the breadth of interpretation by organisations.

Plus, see the 5 things you should be doing right now at the foot of this post.

The EU Regulations have been flexed for UK consumption (we’ve already been given an extra year to get ready) but from my perspective this just puts British companies on the back foot when it comes to enforcement.

Traditionally the law got its clout from precedent (testing it in the courts and coming up with case law that could be cited to both prosecute and defend).

But in this digital age regulations themselves are often subject to revised interpretation and evolving advice and are policed in such a way that only a few bits (eg the government’s High Court battle with ISPs over the Digital Economy Act) get as far as the courts.

Cookies – the breakdown

Okay, back to cookies. As small bits of code that sit on users computers, cookies are useful in helping us understand what users want by monitoring their computer interactivity with a website.

The aim  of the new regulations is to give users more control over what organisations can find out and the opportunity to decline or remove cookies from their machines. Fair enough. If somebody from Marks & Spencer started following me about the store with a clipboard and writing notes about where I went or how long I spent there I would take exception, particularly if they didn’t desist when asked.


From a governance perspective I’m looking for robust ways to demonstrate that ‘implied consent’ has been given by users. Organisations have to give users enough easy to understand and obvious to find information about cookies to make it reasonable to assume users have implied consent, because they continue to move around a website without taking any other action – such as removing cookies. Sorry, that was a bit of a mouthful.

According to the Information Commissioner’s Office (ICO), implied consent means your organisation needs to be satisfied (another woolly word) that your users understand that their actions will result in cookies being set and also:

  • in some circumstances, for example, where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Updating your privacy policy so that it is easy to understand and positioning links to it somewhere obvious to find is a step in the right direction.

I was involved in taking this approach on the Make it and Mend it website, pictured on the left. The Make it and Mend it Privacy and Cookie policy



Some organisations are more in your face about it. Such as the Financial Times pictured on the right.




And even though I’m not a limited company I’ve included advice about the approach I’ve personally taken in the In The Content Lab PRIACY/COOKIES on this site.

But how are you going to evidence how you decided (not assumed) the approach you took was the right one for you and your users? How are you monitoring effectiveness and aptness (alongside any changes in the interpretation of the underpinning regulation) on an ongoing basis.

Informed consent

If you’re going to understand implied consent it’s useful to understand informed consent. I like National Health Service definitions for this stuff. Implied consent is okay for some things and covers when someone doesn’t give written or express consent but does do something, for example, submits a completed questionnaire.

When it comes to more serious stuff you need informed consent, for example, giving someone full information about what a specific medical treatment involves, including the benefits and risks and then getting their consent in writing. Turning up for an appointment is not enough. I also looked at Canada’s anti-spam legislation (CASL) and the difference between Express (or Explicit) and Implied permission. Implied permission is what basically sits behind the current soft opt-in rule for email communication in the UK.

This left me with other questions. How ‘serious’ is the cookie issue? Is this fundamental to personal privacy even though the data isn’t personal as such? Is implied consent enough? How has my organisation satisfied itself on the implied consent question (or has it simply relied on the ICO or other bodies). How is my organisation demonstrating overall respect for user privacy in the way  it handles their data (identifiable or not)?

More unanswered questions

But there are more unanswered questions. For example, what about the real time auctioning of ad space? How can you tell users what cookies to expect in your privacy policy if the future ad space hasn’t been sold yet? Is it enough to tell users that this might be the case?

When legal firm Pannone looked at Cookie Law in early July it found a number of sites that were not compliant, including some global names and at least on UK government department. The full list is due to be published by The Drum on July 20, 2012. (An earlier KPMG survey was equally damning.)

And the picture is further complicated by the fact that some European countries are not complying – at all. In June it was revealed that the European Commission has filed a lawsuit against five EU nations about this.

The Latvian position

At the other end of the scale Latvia has apparently implemented a draconian version of the Cookie Law where users have to approve every cookie. My personal jury is still out on where the various country interpretations of the Cookie Law leaves organisations who operate across European geographic boundaries. Is it different if you have offices or subsidiaries in those countries? Does it matter where your website is physically based, servers etc? I’m not convinced the current advice on this is considered enough. These are just some of the things that keep me awake at night.

So, why should you bother and how should you bother?

At a top level let’s not lose sight of the pecuniary implications for getting it wrong. Site owners can be fined up to £500,000 for non-compliance. The ICO has said that its preference is for sending out notices rather than fining organisations, so long as they are making efforts towards compliance. Two words here – audit trail. Ooh and another one – evidence.

For those of you quietly humming “Catch me if you can” beware. Increasingly individuals are using online tools to take organisations to task for non-compliance in all sorts of areas. You only have to read the Advertising Standards Authority’s weekly adjudications to realise that. And although the ICO’s cookie concerns reporting tool is breathtakingly awful,  there are still people out there who will and are using it.

Secondly, doing the right and legal thing underpins your brand. Why should I trust the integrity of your product or service if you’re willing to cut corners elsewhere?

When it comes to the ‘how’, the first question you need to answer is: What types of cookies are used on your site? If you don’t what the cookie load is how can you decide how best to inform your users about them? Cookies basically fall into 4 types:

  • Session cookies – that last for a browser session and might include things like shopping basket contents.
  • Persistent cookies – which allow things like member preferences to be stored over the longer term. They may also be used to target advertising.
  • 1st party cookies – set by the website displayed in the URL window (that’d be you then).
  • 3rd party cookies – set by a domain other than the one being visited by the user. This would include Google cookies for analytics.

Then there is the question of how you inform. Obvious placement of your cookie and privacy policy links, as mentioned before, is one relatively straightforward option to apply. A lot of sites are using pop ups and and I have issues around the intrusive nature of this interface. Is this helpful or just interruptive? Is my organisation’s implied consent coming at the expense of irritated customers?

I’m also concerned that if users constantly have their browsing interrupted by variously worded cookie pop ups they may seek easier solutions. One option is the Do Not Track feature increasingly being offered by browsers. According to a Mozilla (Firefox) survey of 10,000+ Firefox users in 140 countries, 49% believed their privacy was respected more when Do Not Track was enabled. The survey also found users’ trust increased for browsers, publishers and advertisers who supported Do Not Track.

There is some question as to whether Microsoft’s IE 10 will ship with the “Do Not Track” turned on, as in the original spec – or off, which may reflect external pressure (some might argue).

5 things you should be doing right now…

  1. What are you currently doing?
  2. If the answer is ‘Nothing’ – get your act together.
  3. What’s the feedback, so far, on your current approach? (Assuming you didn’t answer ‘Nothing’ to 2.)
    • Any changes to page views etc?
    • Have you asked users what they think of your approach? This could be as simple as a 4Q survey.
    • And for goodness do some competitor and comparator work.
  4. Based on your answers to 3. should you make changes to your approach now?
    • These changes might affect how you ask for permission, or what you currently use cookies for.
    • If you answer ‘No’ to 4. – what are are you waiting for, exactly? The digital world is constantly evolving. If you’re not evolving with it, you’re a dinosaur.
  5. How much do you value the information you get from tracking with cookies? Gathering the data for data gathering sake is not enough.