Our blog | equimedia

Finding a solution to cookie consent and the e-privacy directive (April update)

Written by Ryan | 18-Apr-2012 08:52:00

April Update

Equi=Media attended a seminar at the Department for Culture, Media and Sport on Monday 2nd April which was jointly hosted by the DCMS and the ICO. During the seminar, talks by the DCMS, ICO, IAB and other industry stakeholders repeated much of what we have heard before. 

Throughout the developments in this e-privacy regulation debate, we have continually updated our view (our previous blog is here) and we still suggest following these steps:

  • Conduct a comprehensive cookie audit
  • Understand the use of all these cookies on your website
  • Remove any cookies that are outdated or unnecessary
  • Assess the intrusiveness of the remaining cookies
  • Update your privacy policy – looking at other well-known websites it would seem to be a trend to include a prominent, separate “cookie” related page or section that is rich with information on cookies and also provides links to even more information
  • Seek opportunities for including mechanisms for cookie consent – for example wherever you already have a “T’s and C’s” consent requirement, update the T’s and C’s to include reference to your website cookie use

However, following the seminar on the 2nd April, we think it is important to make it clear that it would appear that a few large brands are set to go live with “consent” solutions that are very visible. These corporations appear to be taking a view that they want to comply with the regulation in the strictest possible sense.

Essentially it appears that website owners have a choice: 

  • If your objective is to comply with the Spirit of the Law then the elements previously highlighted will be sufficient (a cookie audit, updated and much more visible cookie policy, evidence of gaining consent within T’s and C’s etc.)
  • If your objective is to comply with the Letter of the Law then you will need to go further and make a more concerted effort to force website visitors to acknowledge the way you use cookies and yet still proceed to use your website. 

By considering the sliding scale of intrusiveness, plus by making a judgment call on how strictly you want to comply, you should be able to determine which of the approaches suits you best. When considering this, please remember that:

  • The ICO will not take any knee jerk reactions; demonstrating any effort to comply will be positive
  • Web Analytics cookies are not a priority to the ICO
  • Those companies who go live with very visible “consent” functionality may earn public trust with their open approach, but they may also suffer from restricted tracking and reporting and choose to roll back their initial approach

Our view is that by complying with the spirit of the law, you can ensure that you do not suffer with a stricter approach compared to your competitors.  However, we cannot stress enough how you should make your updated cookie policy incredibly visible. e.g. A clearly highlighted footer link could be seen as a first step, but a link in your header saying “how this website uses cookies” would be better.

Consent Options

If however you decide that you need move more towards the “letter of the law” then there are a few options open to you. Even if you don’t seek to implement these now, it might be beneficial to explore them as options that you can demonstrate to the ICO you have investigated.

You can look to develop your own solution as BT have done (see below). We may be in a position to work with you to help develop a bespoke solution here.

Or, you could seek to implement an out of the box solution that has an on-going license fee attached. The provider you choose will depend largely on your specific requirement and the cost you are willing to invest. Current providers include:

  • TagMan: eu.tagman.com
  • Cookie Collective: www.cookielaw.org
  • Magus: www.magus.co.uk
  • Evidon: www.evidon.com
  • BT: we expect that BT will make their solution available to others through one of their partners

Please be aware that any movement you make in this direction may have significant implications on the manner in which you track and report online activity. 

Our view is that currently you should focus on creating a very visible cookie policy, but be prepared that as we move through 2012 and more solutions become available you may need to do more.

Example: BT.com

A test solution that is being run by BT can be seen on Bt.com. As you enter the site you should see a panel displayed in the bottom right corner:

If you do nothing at all, then this panel disappears after a few seconds and doesn’t reappear.If you wish to click on the panel, you are given 3 options:

Change settings – where you can go into a control panel to change your privacy settings for BT.com

No thanks – which simply makes the panel disappear

Find out more – which takes you through to BT’s comprehensive cookie policy

It seems like a reasonably effective way of providing a visible, non-intrusive opt-out mechanism for gaining consent. The key to this is that it is opt-out and will, we can assume, mean that very few people currently opt out of cookies on this site. If it was an opt-in solution then we can assume that very few would opt in!

In the footer of the page, across the site, you can also see some icons and links that refer to the privacy/cookie page again. Site visitors can access the control panel at any time from these.

The control panel itself is very informative and allows a user to manage their cookies by sliding the bar from right to left. This allows cookies to be disabled for “targeting” initially and then “functional” cookies next. “Strictly necessary and performance” cookies are not available to be disabled.

As you move the slider across, it clearly details in the lower panels how the changes will affect your browsing. 

Equi=Media think this is a good initial solution, if you are a company taking a “letter of the law” approach to compliance. However, it clearly needs rigorous testing and for the impact of its presence to be monitored and analysed thoroughly.

[NB. I am not a legal expert and the opinions in this article are mine alone. Each website owner will need to make their own decisions on what is required in order for them to be compliant….but hopefully this summary is valuable in helping you make that decision].