Forget the New Year diet….you need to understand Cookies!
Posted by Nick Broomfield on Thu, Feb 02, 2012
In the past few weeks there have been some fairly grandiose – and downright inflammatory – articles and viewpoints around the various interpretations of the latest EU legislation announcements and its impact on the Direct Marketing industry.
Whether you like it or not, the UK remains within the European Union and by definition still needs to comply with its various laws, rules and legislative changes.
Meaning that, starting with the EU Directive on Privacy and Electronic Communications – focused on the use of cookies and needing compliance by May 26th 2012 - marketers need to pay attention and consider what actions they will be taking. This isn’t one that is going away with the close of Davos last weekend, and brands need to be prepared. Are you ?
In our experience in recent months, the answer is ‘no’. Not only do very few brands have compliance plans in place, some are even unaware of the requirements as laid down in this Directive!
I’m no lawyer, but let me try and give you my take on what this means and what you need to do. Top-line, the Directive covers the use of cookies and similar technologies for storing consumer information and requires a switch to active opt-in of such cookie use before the data can be utilised by a brand. The original Directive from 2003 was amended in 2009 to require consent for storage or access to information stored - via a cookie - on a subscriber PC. The UK Government introduced the amendment into law on 25th May 2011 and gave businesses ONE YEAR to comply. In essence the rules are designed to protect the privacy of Internet users (even if it’s not personally identifiable) and to stop information being stored on a persons computer and subsequently recognising them without their knowledge and agreement. The reasoning is that consumers are unaware of what ‘cookies’ are and therefore businesses should be more open in how they use them. The Government asked PWC to conduct an online study of 1,000 individuals and found that only 13% of respondents indicated that they fully understand how cookies work, while 37% said they did not know how to manage cookies on their computer.
So, to the requirements…..they are basically two-fold: firstly, subscribers/users must be provided with clear and comprehensive information about how cookies are used and the purposes of that storage and, secondly, subscribers/users must give their consent to such use of cookies.
To be fair, since 2003 brands should have been providing clear information about use of cookies, but it is the consent piece that is new. And, crucially, unlike in 2003 when it was acceptable to offer choice in the form of an OPT-OUT to cookie use, in the 2011amendments, although the word ‘prior’ consent isn’t used, opt- in is how it is best read…..it is difficult to see a good argument to achieving consent after the activity the agreement is needed for has already occurred! Having said that, many websites simply have to drop a cookie as soon as a user arrives on a site and it is unlikely this will be stopped – brands will just need to ensure that all non-essential cookies are indeed delayed being set until the user has had the chance to provide their consent.
It’s also worth noting that although the Directive is aimed at both key types of cookies – session cookies and persistent cookies – it is the persistent cookies (the ones that remain on a users computer after a session has ended and remember you on your return) that can be deemed more privacy intrusive than the one-off use ‘session’ cookie and that will get most scrutiny. Brands should make it a priority to know what sorts of cookies they are using and also if they are ‘first-party’ (set by the website owner) or third-party (set by a domain other than the one being visited). This knowledge of the sort of cookies you use will be key to understand if you need to make any potential system changes vs just being more transparent on use when it comes to consent acquisition and compliance.
As if it isn’t complex enough, there is likely to be an exception to the need to gain consent for cookie use, but this is only where the use of the cookie is deemed as ‘strictly necessary’ for the operation of the site or the carrying of a communication transmission.
So here’s what you need to do next:
1) UNDERTAKE AUDIT - undertake a detailed audit of your sites to check what types of cookies or technology are in use and how you use them….and ascertain how intrusive they are. It may be that you can delete certain cookie uses and pull back use of other more ‘intrusive’ cookies. And it will give you the chance to review how you use – and consider if you want to continue to use – any intrusive cookies. It’s fair to say, the more intrusive your activity, the more priority you should give to getting meaningful consent. It seems unlikely that regulatory action will come about from sensible and clear use of first party cookies (including analytics), so focus here if possible.
2) DEVELOP CONSENT SOLUTION - where you feel you need consent, decide what solution is best for your situation to a) explain your cookie use and b) obtain consent
There will be many creative solutions open to brands here. Top-line we’d advise that, given levels of cookie understanding are low, take an approach that is open, transparent, descriptive and uses clear language. A great example would be the way the BBC website outlines its use of cookies.
Oh, and consider where you will communicate the cookie consent opportunities….above the fold would be preferable over hidden at the bottom of the web-page. And no, it’s no longer good enough to think that ‘providing information about cookies’ can be hidden away in your ‘Privacy Statement’ document/link at the bottom of the web-page!
This is a very complex topic, and we have only attempted to provide a very top-line (and non-Legal!) view on the matter. However, it is critical and action IS NEEDED! May is just around the corner.The official guidance from the Information Commissioner’s Office is very useful and goes into all the details and can be found here.
To use the words of PWC to summarise the challenge to brands: “online businesses will need to evolve their data collection and usage transparency in order to illustrate to consumers the benefits of opting-in”.
Our advice is to think carefully about how you will undertake the changes required and ensure you are even more crystal clear about the value proposition you are offering to consumers through your online experiences. Put together a ‘Working Group’ in your company made up of key Marketing, PR, Legal, Public Affairs and Corporate Relations folks and agree your plan of action to audit your sites, agree your policy and make the changes you need to….BEFORE it’s too late and you end up the first major brand to be dragged through the PR wringer for non-compliance.
PS. Before I go…..it’s also worth noting that the European Commission have also just tabled further proposed new protection laws (which the WFA have said “threaten the fundamentals of the Internet eco-system” and “will hinder growth in Europe”) centred around the processing of sensitive data without an individuals consent (indeed they express a need for complete and total ‘explicit consent’) – where violation could mean a fine of up to 2% of global annual turnover. It’s unlikely to become law until 2014, but the signs are all here that
big change is afoot for Direct Marketers!
More on this in a future post…..
Author details:
Nick Broomfield - Director. Nick joined TCF in 2010 as a Director and Partner having spent 8 years at drinks giant Diageo where he headed the Global Digital Marketing Team. Nick was responsible for successfully integrating interactive channels to become an indispensible element of the overall brand plans and is credited with introducing and embedding a focus on consumer engagement that led to a step-change in the marketing of brands including Johnnie Walker, Guinness, Captain Morgan, Baileys and Smirnoff. Nick also led the Interactive and eRM capability build agenda, personally training over 300 marketers across 12 countries. Prior to Diageo, Nick worked agency-side at Rapier, where as Account Director he led and delivered award winning CRM and Digital work on clients including The AA, HSBC and NTL. Nick is passionate about helping brands engage and build profitable relationships with consumers across multiple channels. An active member of the Digital and CRM community, Nick has sat on numerous industry Boards and currently sits on the IDM Digital Advisory Council. nick.broomfield@thecustomerframework.com
