How well do you know your cookies? Can you tell the difference between a triple choc chip and an oatmeal and raisin?
How about the difference between functionality and tracking cookies? What about Flash and HTML5 cookies? Not so easy perhaps.
Back in 2009, the European Union recognised that the big variation in applications for these little text files left many general consumers not knowing what cookies actually did.
This led to revisions in the “EU Cookie Law” (the E-Privacy Directive) which Member States had until last May to implement.
While in the past companies only had to provide information on how users could opt out of cookies if they objected, the law now requires consumers to give explicit and informed ‘opt-in’ consent.
The big question is, how do companies ensure they get clear ‘opt-in’ consent?
The UK regulator, the Information Commissioner’s Office (ICO) created some general guidance on the rule changes last year, but this wasn’t terribly prescriptive for companies.
Plugging this gap, a new International Chamber of Commerce (ICC) UK Cookie Guide develops on ICO principles to create more practical, prescriptive advice.
This is well timed. The ICO hasn’t been enforcing the new law because, well, officially it’s a ‘phase in’. In reality, everyone has been a bit flustered about how best to approach it.
But… the one-year amnesty is almost up. From 26th May 2012, they will be cracking down on companies who don’t at least try to get meaningful user consent.
The ICC Guide
The ICC guide works by splitting cookies up into four groups, using the categories to define how and when companies should obtain user consent.
Some cookies may fall into more than one category, but the classifications aren’t set in stone and will progress as technologies do.
So what are they?
- Strictly necessary cookies. These allow users to have services like shopping baskets or e-billing and will normally be set by the website operator. They shouldn’t be used for marketing purposes and don’t need user consent if they’re ‘strictly necessary’ (a can of worms we won’t open for now).
- Performance cookies. Mainly used for website improvement services, like web analytics, gauging advert response rates and error management. These aggregate anonymised data, but consent is still needed.
- Functionality cookies. They control user preferences like website personalisation, layout of the page, and the storing of user IDs. As with performance cookies, they require user consent, and if used for retargeting adverts, they should be considered under category 4 too.
- Targeting/advertising cookies. These are the most controversial, underpinning much of the massive online marketing and behavioural advertising industry. The ICC definition focuses on their use in delivering adverts relevant to users and preventing repeated sending of the same advert.
These descriptions, while true, don’t seem to share with consumers the negative side of behavioural tracking and commercial surveillance.
It isn’t in the industry’s interests to scare users by describing how tracking cookies are the online equivalent of someone following you around your local bookshop jotting down every book you pick up, for how long, and then collating this information into a profile with other shops you visited that morning. I mean, who would want to sign up to that?
But, equally, I understand that the phrase “if you’re not paying for it, you’re the product” rings true here. Balancing user interests against those of commerce is clearly a delicate exercise, and it’s obvious many of these businesses can’t supply such services for free.
Nevertheless, I wonder if sugarcoating the purposes of tracking cookies reduces a general user’s true understanding of the code? If this is the case, does it reduce the value of their consent?
Definitions aside, how can a company actually obtain user consent?
The most logical place is through the browser. But, for now, the ICO thinks browsers provide insufficient user control over settings to indicate explicit consent.
The UK government are currently working with browser firms to find solutions that incorporate more sophisticated privacy controls.
Stopping acceptance of third party cookies by default might be a good start.
For now, companies might use the ICC code’s ‘consent wording’ clauses. These are clearly written, tailored to each cookie type, and can be incorporated into a company’s T&Cs or pop-up prompts triggered when users change settings or visit a site for the first time.
Importantly, the code recognises not everyone has the same level of technical awareness and therefore seeks a ‘layered guidance’ approach.
Instead of bombarding non-technical users with information on third party, zombie and local object stored (flash) cookies, they might be presented with simple interfaces to manage their settings, with more technical users being directed to complex information elsewhere.
I think the ICC suggestion of using simple icons to link a user with personal privacy dashboards has a lot of traction for this.
Overall, this guide is welcome because it’s practical and concise. The plain English approach will raise users’ understanding of the technologies, and provide organisations with tools to meet their legal obligations more meaningfully.
Importantly, the ICO seems to like it too, with its Group Manager for Business and Industry, David Evans, stating:
The ICC UK guidance provides useful information on how organisations can achieve this (consent) and reinforces the ICO’s key message that giving users better and more consistent information will make it easier to gain their consent. We are almost at the end of the year long lead in period and it is vital that organisations start demonstrating that they are moving towards compliance.
Good news for anyone hoping to avoid the ICO’s sting of up to £500,000 fines for non-compliance. While this might be pittance for giants of the online world, businesses wanting to avoid such hefty penalties might look to the ICC code as a pretty good place to start.