Hand in the cookie jar


European regulation on the use of website cookies threatens the commercial arm of the internet

We’ve all been there; you’re perusing the internet looking for a new garden shed, a hotel room in Cancun, a new pair of trainers. You’re clicking through, having a gander, checking them out from all angles and then you move on.

But you can’t move on. Because that pair of trainers haunts you as you visit different sites. They tease you just within your peripheral vision, reminding you of their existence over and over as they dance on every page you visit.

This is the most extreme version of behavioural advertising and it all comes down to cookies.

“Cookies also allow much more tailored messaging,” says Paul Carysforth, partner at leading marketing and technology company, Amaze. “Sites can understand what you are likely to be interested in and advertising can be targeted the right audiences for that particular brand far more accurately.”

“This affects everyone that runs a website, from a big commercial site to a small website run by a hobbyist who puts pictures up about needlework”

Andrew McClelland, IMRG

But those trainers might not be following you for much longer if new EU regulations come into force.

A European law of 2002 required that these visitors be given certain information about cookies. You will find that information nestling in among the privacy policy section of most websites. But on 26 May 2011 the law changed, meaning that in addition to the provision of certain information, visitors must give their consent to the placing of cookies.

Privacy and Electronic Communications (EC directive) regulations will require websites that use cookies to ask users to “opt in” to allow the storage of cookies on their PC, mobile device, tablet etc. This does not just affect a select number of consumer websites.

“This affects everyone that runs a website, from a big commercial site to a small website run by a hobbyist who puts pictures up about needlework,” says Andrew McClelland, chief operations and policy officer at IMRG. “All will have to look for permission for cookies to be dropped.”

Of course, there is a big deference; our hobbyist won’t be using those cookies for commercial purposes or, as McClelland puts it, “they’ll get away with it because they won’t be doing anything

What exactly are cookies?

So what, you might ask, are cookies and what fancy tricks can we perform with them?

Cookies are small text files that a website sends to your computer when you visit a website. It assigns a unique reference number to your computer so that when you return to the site at a later date the website recognises you.

It’s basically like a memory for a website. You can set your browser to block cookies but, if you do so, using certain websites will be impossible because of the usability that cookies provide.

Third-party cookies are a step up from your average cookie. Some websites will pass your cookie on to a third party that will use your information to tailor ads to display on the page of the original website. Like those trainers following you around, for example.

This behavioural advertising and the passing around of the data from cookies has people most worried as it builds up a profile for each customer over time.

Cookies have been around for a while. So why all the palaver now?

Let’s get this straight, cookies cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user’s browsing activities, a major privacy concern that prompted European and US law makers to take action. Cookies could also be stolen by hackers to gain access to a victim’s web account.

“If you remove cookies you therefore lose one of the primary reasons why the internet is so attractive to marketers and advertisers”

Rob Richardson, sales director at Casis Media

McClelland believes it’s the widespread press about data theft that has stirred the EU into action – and with it, the slightly more reluctant Information Commissioner’s Office (ICO) – the UK’s independent authority on information rights.

“Confidence in the handling of data has dropped and, with stories about data going missing hitting the headlines all of the time people are on edge, forcing regulators to examine the use of cookies. The irony is that much of this data has gone missing from the government.”

It’s media, Jim, but not as we know it

Cookies are, arguably, a big reason why the online economy has witnessed the growth over the past ten years. Much of the innovation and job creation is being driven by the internet in this country and the government is aware of this and doesn’t want to stifle it.

“Cookies facilitate a level of measurement that no other medium such as print or TV can come close to,” says Craysfirth. “Subsequently, this has driven economic growth and generated thousands of jobs both home and abroad.”

Some of adland’s leaders are extremely worried, predicting the end of online media.

“If you remove cookies you therefore lose one of the primary reasons why the internet is so attractive to marketers and advertisers,” warns Rob Richardson, sales director at Casis Media.

“Many content-heavy sites which are expensive to run (such as The Huffington Post), suddenly become commercially unviable and close down.”

Clear as mud

The ICO has been charged with the implementation of the EU regulations and, according to many in the industry, they have been relatively pragmatic in their approach.

“The ICO understands the difficulties and is giving the industry plenty of time,” says McClelland. “It is between a rock and a hard place. It’s very hard for any regulation to keep up with the internet.”

One of the major complaints from the industry has been that the ICO’s guidance doesn’t go far enough to go through the steps that businesses need to take. This is even apparent from the wording on its advice page:

“[This guide] is aimed at those organisations which are starting to think about how they will comply with the new rules. It is a starting point for getting compliant rather than a definitive guide.”

From that announcement it would seem that the ICO is happy for companies to simply think about how they will become compliant, rather than implement harsh and potentially harmful changes immediately.

However, looking at the cookie announcement and “opt in” banner on the top of the ICO’s page it would seem that opting in could be the shape of things to come.

“Advice for businesses seems to be to carry out a review of their use of cookies,” explains Kim Walker, partner at Thomas Eggar. “Where these are related to online behavioural advertising companies should follow a self-regulation framework and tell users that this is what you are doing.”

Or of course stick your head in the silicon

According to Michael Coyle, partner and technology expert at Lawdit Solicitors, the general reaction has been to do nothing at all.

“The underlying sentiment coming from my clients is that they don’t give a toss. We notified our clients of the changes back in May and expected a huge reaction, but very few have bothered at all.

“ICO is there to encourage people to ensure they are in compliance,” continues Coyle. “They are not there to hit people with stick. If you did a short poll of 100 businesses I bet you’d find that no one has bothered to comply.”

Well that’s not very encouraging. It would seem that these companies, having looked at the regulations and deemed them too onerous and commercially damaging, are waiting to see what happens.

Browsers to the rescue?

One of the theories being championed by industry experts i
s that browser technology is being revised in an attempt to enhance privacy settings and, therefore, take the onus away from individual websites. Individuals would merely need to adjust their browser settings to accept cookies.

“The policy of ‘wait and see’ referred to in the ICO guidance and government commentary suggests that the browser manufacturers are being pressed to find a technical solution by which browsers can be enhanced to meet the requirements,” argues Walker.

“Hopefully it would in users having more information as to the use of cookies and being presented with easily understandable choices.”

Is it wise to wait and hope that browsers will come to the rescue? McClelland doesn’t think so.

“The government is working with technology companies to make that possible but we don’t know if that will happen – companies that are not acting in the hope that this will happen need to rethink.”

‘Strictly necessary’: a way out?

There is a clause in the great cookie cull, which permits cookies deemed “strictly necessary”. An example of a necessary cookie is one used to maintain the contents of a shopping basket on, say, Amazon. But those hoping to use this clause to bend the rules might find themselves disappointed. The ICO describes it as “a narrow exception”.

Cookies across the pond

The regulations are being interpreted differently throughout Europe. Britain has been the most lenient so far, according to experts, although it has to be said only a handful of member states have actually implemented anything.

“The UK has been very good in getting legislation organised on time – other countries are running at little bit behind. But of those who have applied the new rules, the UK has taken the most liberal approach.

“Understanding what the true effects will be to the world markets…is impossible”

Dennis Dayman, chief privacy officer at Eloqua

Adland’s doom-mongers mention the Netherlands as a case in point.

“The Dutch government initially proposed that the use of cookies be self-regulated, but as members of parliament found this arrangement to be too open to abuse, the bill was eventually sent to Parliament as requiring opt-in consent for the setting of cookies,” lawyers Norton Rose announces on its website.

“Since the date of the legislative proposal, the online-advertising industry has been very critical, fearing that the requisite opt-in consent could force users to click more pop-up windows while navigating the internet and damaging its business model.”

In the US, bills in congressional circulation have been drafted to cover much of the same stipulations of the EU Privacy Directive. The US, however, is primarily focused on requiring permission exclusively for third-party tracking practices – the EU directive, on the other hand, applies to all web operators.

Lights, cookies, action

Come May 2012 the ICO will be looking for evidence that a company is taking the steps to audit its existing use of cookies.

The ICO has advised that website owners should make a list of all cookies and similar technologies being used on a website and how they are used.  For each one, determine how intrusive that method is, i.e. does the information track people’s habits on your site, is the information used by third parties?

“The ICO also refers to a “phased implementation,” explains Walker. “Which, coupled with the fact that the ICO has yet to issue guidance on the enforcement of the new law, means businesses will take comfort from the government’s assurance that the ICO will not take enforcement action against them if they are working to address their use of cookies.” 

Tomorrow’s cookies

The future of cookies and the effect their regulation will have on the commercial arm of the internet is unknown. Technology and general awareness in the public about what cookies do will certainly grow and the journey that customers make to websites will soon have to change.

“As it stands today, many of the EU members have not been able to meet the implementation deadline because of concerns about how companies can become compliant in time,” explains Dennis Dayman, chief privacy officer at revenue performance management specialist Eloqua.

“So, understanding what the true effects will be to the world markets that rely heavily on e-commerce and how such requirements will possibly impact technology innovation is impossible.”

Dayman does, however, offer some advice – getting creative seems to be high up on the agenda.

“Already, there are companies providing online tools, education and services to help facilitate this process, but other less expensive alternatives include creative ways to encourage opt-ins like giveaways, leveraging free social media tools to build relationships with customers and prospects or establishing a referral program with existing customers.”

Hopefully this level of innovation and creativity shouldn’t be impossible for the UK’s inventive advertisers and tech companies. But for now there’s no way of knowing for sure which way this cookie will crumble.