Our blog | equimedia

Cookie law compliance review

Written by Ryan | 03-Jul-2012 09:30:00

How top online brands have responded to the EU e-privacy directive

Shortly after the final ICO deadline for compliance with the EU Privacy directive, Equi=Media carried out a survey of the top UK brands' response. In this research we looked into how these brands (Nielson UKs 100 largest online display advertisers, covering 108 domains) were updating their web properties to respond to this directive (often referred to as the new "cookie law").

The sites reviewed include brands such as Microsoft, eBay, Virgin Media, 20th Century Fox, Peugeot, Dell, Electronic Arts and Land Rover. A full list of the brands & websites we surveyed is available on request.

It should be noted that the data was correct at the time of the review (30th and 31st May 2012), and that a handful of these brands have since updated their website.

In this summary document we have broken down how this group of brands appear to have addressed the challenge. We are not judging that any of these responses is necessarily compliant or non-compliant (the ICO has yet to comment on them).

Who has made visible changes?

There appears to be a fairly even split between (1) those who appear to have "done nothing", (2) those who DO have cookie related information that is "easily visible" and (3) those who do NOT have cookie related information that is "easily visible".

We found that the most efficient way of classifying the visibility of the cookie information was to balance these through a simple scoring system, allocating importance based on a combination of the visual factors. Although not necessarily scientific, the aggregation of these scores gives us this interesting view.

The "visibility" of the cookie information is subjective and our scoring system took the following into consideration:

  • Placement of the cookie information on the page
  • Distinctive colour of the cookie information
  • Likelihood of regular users noticing the cookie information
  • Likelihood of first time visitors noticing the cookie information
  • Quantity of text and space given to the cookie information

If cookie information appears to have been added within an existing privacy policy page, then we have not classified this as "visible". This is because the ICO have specifically stated that this cookie information must have an "increased prominence".

Who has not made visible changes?

There were certainly a few surprises – sites with no visible cookie information on their homepages appeared to include:

  • eBay UK
  • Orange
  • T-Mobile
  • RIM – Blackberry UK
  • Dell
  • 20th Century Fox
  • VISA
  • Sony
  • Peugeot
  • Direct Line

It is curious to see how these large businesses (all of whom have cookies loading immediately) have left this information difficult to find. It surely can't be ignorance, so we can only assume they have either ignored the requirement, or are waiting to see what their competitors implement before doing more. Many of these brands appear to have added some cookie information within their existing privacy policy, but we will be extremely surprised if the ICO considers this adequate.

Opt In or Opt Out?

21% of these websites had an on-site cookie management tool. This is made up of 17% who ensured that their cookie management tool is "opt out" leaving only 4% who have implemented an "opt in" solution.

The sites employing this "opt in" approach were: Mazda, Unilever, Nestlé & Hewlett Packard. In each case it appears that they still load some less intrusive cookies immediately, but the "opt in" request is for the cookies that could be considered more intrusive (typically for targeting). We would be incredibly interested to understand more about how these websites are finding their users engage with these tools, so we can only hope they will share some information at some point in the future.

The 44% majority sent the user to external websites to both manage their cookies and also provide information on disabling cookies within browsers. Although we commend these websites for offering the user the opportunity to find more information, in many cases these third party websites do not offer easily accessible opt out tools, or easy to understand information. As such, we fully expect these websites to come under scrutiny from the ICO in the near future.

What mechanisms are used?

Of the 64% who provide cookie information we have broken down the approach taken. Currently there is wide variation, but we expect these to become more standardised as equilibrium for cookie compliance is found.

For the sake of clarity, in this case we are defining an alert box as a content area which clearly stands out from page by the use of border and/or background colour, but is wrapped with the content; an pop-up as a static box which moves as the user moves, and is placed in front of the other content on the page; and a modal (used by Nestlé; since removed from their site) is a jQuery lightbox which fades out the entire page content to focus on its' content.

The leading mechanism for informing users of cookie policies was a simple footer text link (28 out of the 108 websites do this). The ICO will no doubt question the prominence of these links, because many of them were "hidden" amongst the other standard website footer link.

Out of all of the sites with a text link in the footer, the most noticeable was Carphone Warehouse. This link itself is only prominent because of the addition of the (updated) comment, so this illustrates how "hidden" the footer links on other sites are.

Only 5 of the sites (MoneySupermarket, BT, ING Direct, Unilever & Mazda) implemented their cookie information with a pop-up box, which is one of the most visible methods of showing cookie information.

Further to this, Nestlé were the only site to use a modal box (a panel that appears on top of the web page and remains until the website visitor engages with the site in some way). This modal box didn't allow users to see any content on their site without choosing whether to opt into cookies or not, and was the only website which forced the user to interact with the cookie information. A more recent check found that they are no longer running this method of cookie management on their site, opting for an alert box instead. We don't know the reasons for this change, but considering this was the most extreme implementation we saw, Nestlé may well have decided that they could roll back to a less strict interpretation of the e-privacy directive.

List of cookies

44 of the 69 sites with cookie information accessible from the homepage had a list of cookies within their updated policy. Unsurprising, since the ICO has been pushing for websites to conduct a "cookie audit" and this is simply publication of the result of such an audit.

Of these 44 sites, 25 segment their list of cookies according to Strictly Necessary, Performance, Functional & Targeting (or with very similar wording). This appears to be an example of how a general approach to compliance is forming.

On particular example that, in our opinion, was an excellent way of categorising and displaying these cookies is from First Direct.

Cookie management / info links

13 of the 69 sites with cookie information easily accessible from their homepage had on-site cookie management tools. Notable of these is BTs proprietary cookie management tool, which offers a great interface and is highly transparent and informative about their cookie policy:

12 of these sites have developed their own on-site cookie management tools or rebranded existing cookie tools, allowing the user to adjust their cookie preferences without having to click through to an external site to change cookie settings. While cookie management tools make it easier for users to refuse cookies, many businesses have chosen not to do this, either because of cost constraints or possibly because for every user without cookies installed on their computer may be one less (tracked) potential customer.

Summary

Whether the above approaches are "compliant" or not can only be judged by the ICO. Furthermore, we haven't considered here what level of intrusive advertising activity these brands are engaging in; those who have implemented the more strict solutions may be doing the more intrusive targeting activity. However, we can see that there is a spectrum of responses that have been put in place and from this spectrum the industry standards will evolve. It will be interesting to watch how the landscape changes as brands respond to one another, plus we wait with baited breath for ICO comment on any of these brands' actions (or lack of).

[We will shortly be pulling together an additional document showcasing some of what we consider to be the most creative and engaging solutions mentioned above].

Please note the views contained here are our opinion only.