Cookies and screams

Right, so this week’s diversion from the path of the sane has been to try to get up to speed with the new cookie regulations.  These come into force on 27 May and, of course, it’s only with two weeks to go that I’m knuckling down to discover what needs to be done.

The first thing that strikes you on reading through the ICO’s 27 pages of guidelines is how bloody stupid the whole thing is; a set of regulations for which there is no demand, drafted by people with no knowledge of internet marketing and implemented by lawyers. The perfect recipe for an expensive, bureaucratic solution to a non-existent problem.

But we are where we are, which is, unfortunately, ten days from having to implement a set of regulations that have the potential to bugger up a significant chunk of our internet business.

There would appear to be three routes to take:

  1. Do nothing. Hide under the bedclothes and hope it goes away. This is superficially very attractive, but unfortunately we are stuck with the regulations and could be clobbered if we ignore them.
  2. Do everything. Have an opt-in box on your site beyond which visitors cannot proceed unless they click – see the ICO’s own site for this. This certainly follows the law in letter and in spirit, but its main consequence will be to convince visitors to your site that you’re up to no good (“you want to put your computer code onto my computer? No!”) and drive them away.
  3. (You can see where I’m going here) Do something. That means showing a commitment to implement the regulations, following the principles of transparency, but trying not to bring in processes that will strangle traffic.

[As is customary, I need to point out here that I am not a lawyer and have no expertise in legal matters, so if you get slapped with a £500,000 fine because you followed any ‘advice’ on this site, I’m not paying it for you.]

Entertainingly, the BBC report today that the majority of the Government’s own websites will not meet the date for compliance and there’s a useful link to an interview with someone from the ICO about how the law might be implemented in practice. Key quotes from this are:

  • We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action.
  • If a website says ‘we’d like you to use cookies, but click here if you don’t want us to, and click anywhere else to continue’. If customers have seen this message, then this may be enough in most cases. However, if companies aren’t making this information visible, then they are taking a risk.
  • if businesses deliberately stop short of total compliance, then there is a risk [of prosecution]
  • For us, the issue may be that, if an online business has taken some steps towards compliance, and they don’t ‘bother us’, then that’s OK. However, if we receive a number of complaints it may be a different story.
Trying to pick some strands from this my take on what needs to be done (and what we’ll be doing at iSUBSCRiBE) is:
  • a full cookie audit and categorisation of these according to their privacy sensitivity. We’ve got cookies that are essential to the operation of the site (remembering what you have in your basket), analytics cookies, remarketing ones, ones for our own tracking and so on. The key is for us to establish which might be more privacy intrusive and highlight these to site visitors
  • setting up a page that fully explains what cookies are and the ones we use on the site and our reasons for using them. I intend to rip off be inspired by the John Lewis page here
  • making the link to this page prominent in the header of our site (although I have to climb over the dead body of our web designer to get this in place)
  • highlighting the cookie policy and our cookie information in a blog post
  • a message (the format and delivery of which is still TBC) that uses implied consent to give site visitors the opportunity to leave and (once we’ve figured out a way of doing it) remove cookies placed by our site

It’s this last point that is the unsure ground. The ICO has said that with the current level of consumer knowledge of cookies that implied consent may not be sufficient under the strict terms of the regulations. However, it has also said that for the lesser privacy sensitive cookies that this might be a reasonable approach and that if the site provides sufficient information and transparency about its use of cookies then implied consent may be okay. It will come down to whether complaints are received – the key quote here is”if a website says ‘we’d like you to use cookies, but click here if you don’t want us to, and click anywhere else to continue’. If customers have seen this message, then this may be enough in most cases. However, if companies aren’t making this information visible, then they are taking a risk.”

We will then see what happens, both in terms of our site:- the impact on traffic and sales, the correspondence from visitors, complaints raised with us or the ICO – and the wider developments and what becomes accepted practice, and adjust accordingly.

But ultimately, over the next few weeks we will spend a lot of time, money and effort implementing something that is likely to have a negative impact on our business, will not really enhance the privacy of any of our customers, and which will make our site and the user-experience of it uglier and clumsier. That noise you hear from the direction of the King’s Road is me screaming.

Further reading:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s