Subscribe by RSS
Follow us on Twitter
Subscribe by Email
This post is second in a two-part series.
Yesterday my post discussed the upcoming EU regulations and advice on what websites must do to comply with the new EU regulations concerning the use of cookies.
The guidance from the ICO offers different approaches to obtaining the needed consent. But again, the advice falls short of detailing what needs to be done. “You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do.”
Some suggestions include:
· Using Pop ups and similar techniques
· Using “Terms and conditions”
· Settings-led consent
· Feature-led consent
· Functional uses
No advice however is provided to mitigate the degradation in user experience. Those who reject cookies would suffer most. As there will be no mechanism to track them, they would be prompted to opt in/out each time they return to a site. This on its own is likely to lead most customers to (eventually) opt in for the sake of their sanity, or never come back to the site.
The catch-22 is also not addressed: if you need a user’s consent before using cookies, you need to remember this choice when they make it. And the only way for a website to do this is by using cookies.
The ICO says, “We will be keeping the situation under review and will consider issuing more detailed advice if appropriate in future. However, we do not intend to issue prescriptive lists on how to comply.”
Third party cookies
The most controversial area of the guidelines cover so-called “3rd party cookies” – cookies placed on a user’s computer typically by advertisers on a site. Almost all ad-supported sites use third party cookies.
Again, the guidance is vague: “…we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices.”
But while they are unable to say how site owners should implement this, nor what “right information” they are required to pass on to users in order to be in compliance with the ICO’s advice, the industry’s trade association has some advice of their own.
Nick Stringer, Director of Regulatory Affairs for the Internet Advertising Bureau, said that the industry’s self-regulatory framework, which had been signed by 50 companies across Europe, had been accepted by the U.K. government to be in compliance with the new EU legislation.
Mr. Stringer said that the system allows for an icon to appear on advertisements. Clicking that icon on the ad would give the user the information required by the legislation.
What should you do?
Modifying your websites to adopt one or more of the ICO’s suggestions can be a daunting task, especially for websites with voluminous pages, multi-country and multi-language deployments. A sophisticated Web Content Management system would help in this process, ensuring that regardless of site structure or dynamic content refreshes, pages served up to the visitor would be in compliance. But implementing these changes will take time – and most sites will probably not be in compliance by the May 26th deadline.
Not that you have to worry about it just yet. “The ICO will be issuing separate guidance on how we intend to enforce these Regulations.” The ICO has restated its intention not to take action against companies that fail to comply. Instead, it plans to investigate sites only after a complaint has been received, and even then it will only ask them to show that they have a “realistic plan to achieve compliance”.
So the practical advice is this: evaluate your site(s), pick the best approach to bring it into compliance with the new directive without overly affecting the customer experience, and then establish a plan to implement those changes. You may not be ready by the 26th, but if you have a plan, you should be ok.
