Cookie law - will it rumble or crumble?
The ‘cookie law’ aims to protect your online privacy - but it also impairs the website experience
Kim Walker: “multichannel environments are creating the need for a more sophisticated approach”
Will recurrent popping up of standard information annoy users,and even make them suspicious of legitimate sites?
The latest bit of EU legislation aims to protect the privacy of anyone visiting UK-owned websites by notifying them of cookie usage – but it is also impairing the website experience and jeopardising revenue opportunities, its critics are claiming.
Since its announcement in 2011, and implementation last May, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 - aka 'cookie law' or 'cookie directive' - is proving some of the most contentious IT legislation from Brussels to come into force in the UK.
The directive was intended to ensure that 'consumers' of Web-based information are customarily informed when a website they are visiting has downloaded a cookie onto their PC. A cookie is usually a small piece of data sent from a website and stored in a web browser while a user is visiting that website. If the user browses the same website again, data stored in the cookie can be retrieved by the website to apprise it of the user's previous activity. The directive amendment is primarily aimed at ensuring that consumers are fully aware that their browsing habits are being monitored and checked, and also that website owners are retaining the data about them.
Many UK website owners have complied with the requirement: anyone browsing sites owned within the EU will have noticed a higher incidence of cookie alerts popping up. Some appear discreetly in a corner of the page, others more intrusively.
"The law was meant to protect the privacy of people using the Internet. To accomplish this the EU made over 90 per cent of websites illegal," Oliver Emberton, managing director of software firm Silktide, has declared. This recurrent popping-up of standard information is, however, one of the reasons why the directive has drawn criticism and opposition from many quarters. Online communities feel that they may not only prove an irritant to online users, but may actively deter them from 'entering' online stores, or make them suspicious of otherwise legitimate sites.
The problem is that, although once an optional extra for most websites, cookies have become a vital aspect of Web functionality and service delivery, as well as providing much of the core data used by Web analytics tools that reveal valuable statistics about Web usage, for commercial and non-commercial applications.
Emberton has directed some critical attention at the Information Commissioner's Office's (ICO's) guidance on this issue. "The vast majority of user preferences are privacy-neutral: preferred font size, or what order they would like their news articles to be displayed in, [for example]" he says. He would argue "that if a user sets a preference for a website, say by clicking on a button, that they 'explicitly requested' a service, and that to provide that service cookies are 'strictly necessary'."
The alleged failure of the cookie law to take into account the specific subtleties of cookie usage has has put it in the light of a draconian measure that does not take account of the consequences both predictable and unforeseen. Few pundits would question the EU's earnest desire to protect Web users, and to make cyberspace a safer place to roam; but for many observers the directive's amendment simply goes too far by its blanket application to all cookie usage.
"There may, of course, be unforeseen consequences of the enforcement of this legislation, but, in my opinion, the really big issue [is] 'consent'," says Dr Rosi Armstrong, researcher at the Centre for Secure Information Technologies. "The point of the European Commission (EC) updating this legislation was to tackle the issue of the use of third-party cookies to track Web users across multiple websites [and serve them relevant but unrequested adverts]."
This is not very different from the situation under the previous cookie rules, adds Dr Armstrong, where information about their use was usually found in privacy notices, which "were not read by the average user, and user consent was implied from their continued use of the website".
She adds: "At this time I can't see that there will be many 'operational consequences' as the enforcement of the legislation starts to bite, as the purpose of the law has been largely circumvented. It will be interesting to see if the EC (who have not been keen on 'implicit' consent) and other Member States will take the same stance on consent as the UK. I would not be surprised to see disapproval from the EC."
However, the recent hullabaloo around the latest cookie legislation has also stirred debate about the changing nature of customer relationships online. Cookies have over the last three years become an integral 'hook' in enabling multichannel retailing. At the same time, and in spite of the added complexity that new regulations bring, cookies remain a valuable tool with a myriad of uses for thousands of businesses big and small.
Alleged ambiguities in the directive, and in how the ICO's interpretation has been relayed to UK website owners, have also attracted attention from the legal sector. Consumers are increasingly savvy about their privacy rights, and how their data is used for their benefit and well aware of their rights to remove consent, suggests Kim Walker, a lawyer at Thomas Eggar.
"[E-tailers now operate in a] multichannel environment: social network communities, location-aware devices, mobile apps, and the monitoring of what customers are saying about retailers on social networks, are all creating the need for a more sophisticated approach," Walker says, "and a data protection and e-privacy protocol that creates a totally safe environment for a brand and its customers to interact."
James Mullock, data protection partner at law firm Osborne Clarke, describes the ICO's redefinition of the implications of 'consent' as "a great help, but it's only a UK position and it still leaves website owners in the position of having to both understand what cookies they use, and also to undertake web-design gymnastics to explain the position and get consent from users."
Many multichannel retailers are exploring the use of social networks, Thomas Eggar's Kim Walker adds, and how they can create online communities of shoppers who are already known to like the brand: this form of social support creates an enormous opportunity to interact with customers, but it also opens brands up to the accusation of going too far in their relationship with the consumer. Cookie deployment is at the heart of this relationship.
Online advertisers are another interest group likely to be disinclined toward fully-legislated cookie usage: any factor that causes click-through banners to present obstacles to the experience will be unwelcome.
"Cookies are a key part of many online businesses - they help websites to perform better, and can eliminate time-consuming tasks such as re-entering address details for our online shopping," observes Vinod Bange, partner at law firm Taylor Wessing. "Without doubt this new directive will be a cause of concern for advertisers, especially online advertisers, and the retailers that use advertisers for additional revenue and to refine sales conversion. This is a growing industry which will be heavily impacted if the directive is fully and inflexibly enforced."
Thomas Eggar's Kim Walker gives another example of how implementation of the directive could change customer relationships: "Imagine a scenario where a customer is a fan of a company on Facebook and then checks in to a branch on Facebook Places, allowing the company to text them a voucher valid for one hour. There is no problem with data protection in this context, just so long as the Facebook page makes it clear that being a fan means receiving vouchers. Indeed, most customers would probably want that anyway. The problem comes when retailers either ignore or do not understand the complexities of online marketing."
The fact that the UK has more stridently implemented the cookie law while other affected EU member nations are perceived to have blanked it is another cause of ire - especially for UK online retailers who feel that compliance risks disadvantages their competitive stance against non-compliant competitors. "Given that the rest of mainland Europe is yet to take this directive seriously, it is a shame that 'UK Plc's online economy is being jeopardised," warns Taylor Wessing lawyer Vinod Bange. "Such red tape may also result in start-ups choosing to 'start-up' outside of the UK, which goes against the government's [...] support of high growth business centres such as London's Tech City."
An obvious result of the whole "debacle" has been the hardening of the EC's view that data protection laws should be uniform across the EU, says Osborne Clarke's James Mullock, "so future regulation will likely be introduced without allowing Member States to hone the rough edges left by the same law makers who proposed the Cookie Directive. I'm afraid that the future looks likely to feature more business-unfriendly laws with less scope for practical local workarounds (like implied opt-in consent). Business will at least have a harmonised set of laws to comply with, not a patchwork quilt of different approaches to the same law." One of the most ardent critics of the cookie law as it stands remains Silktide managing director Oliver Emberton, who has authored what claims to be a 'definitive guide' to the issue that'covers the main objections to the extant legislation. Emberton's 42-page document, available online, sets out the reasons why he thinks the law is flawed, but in the interests of balance, also looks at the pro-cookie-law arguments, and puts forward some possible solutions to the situation.
"No one wants to add [cookie consent messages] to their website, and most visitors are unlikely to be happy about it either," he writes. "When [I] started writing 'EU Cookie Law - the Definitive Guide', [I] tried to be neutral, but that rapidly became impossible," he stated. "[I] don't agree with the law - at least [not] in the way it's written now. It comes over as a technically illiterate shambles. It was impossible to research the new cookie law without developing a thorough hatred of it."
Is the cookie legislation really that onerous?
The amended Privacy and Electronic Communications Regulations have received criticism from some website owners and others; so how valid are their views? We attempt to balance some anti-lobby objections that have appeared in the public domain...
Steve Masters, campaign delivery manager, VerticalLeap:
"The problem for the millions of website owners is that they now need to put an obtrusive message in the way of their visitors, asking them to accept cookies before proceeding. The EU cookie law is a stupid law created by people who do not understand the Internet; a sledgehammer to crack a nut. If all websites comply, the Web will be rendered unusable and unenjoyable and the very people the law is supposed to protect will actually be the ones who also suffer."
E&T says: Websites we have seen asking our permission to store cookies feature a small drop down menu instantly removed with a single click or which disappears after a few seconds - arguably far less obtrusive than pop-up advertising and visitor experience feedback forms. Compliance will not render the Web unusable: cookies which store data so that a user does not have to fill out multiple forms, enhance traffic load balancing, and are transaction-specific, like tracking a basket of goods up to the online checkout, are exempt from the law so website performance is unlikely to suffer.
Web software analytics firm Silktide:
E&T says: The loss of functionality in question is all in favour of the website owner and its advertisers rather than user, and there is no evidence as yet to suggest whether visitors are either happy or unhappy about the type of pop-ups websites are being asked to implement.
Michael Ross, former CEO, Figleaves.com:
"The EU cookie law is simply a bad law and a restraint to trade online at a time when business needs all the help it can get. Trading online without using cookies for analytics or various types of marketing tracking is analogous to asking a retailer to trade blindfolded. It's simply not possible."
E&T says:Online advertising (rather than core business) revenue may be affected; but there are other ways to gather Web analytics for marketing purposes, and the Web industry is likely to find new ones. Making sure the user logs in on every visit to the site for example, while e-commerce sites, publishers and advert networks are looking to new Device ID or browser fingerprinting, technology as a possible alternative though the same privacy concerns, if not yet legislation, would apply.
Malcolm Coles, product director, Trinity Mirror:
"There's no education about it (so it's irrelevant to consumers) and it imposes a significant burden on businesses without any sort of clarity abut practical implementation. Users will get less relevant ads if they reject cookies and we can't track how people use our sites. Ultimately websites will get less relevant. I imagine if lots of people reject cookies aimed at improving the quality of sites, you'll start getting popups saying 'this website is [going to be cruddy] unless you accept cookies. Click here to proceed'."
Nick Halstead, CEO, Tweetmeme and DataSift:
"It clearly makes UK companies less competitive because sites we build will need to be plastered with warnings - and our competitors will not. It is a well-known fact that at each stage of a sign-up process you lose customers - if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user won't read that detail - they will just think you're a privacy nightmare and won't sign up."
E&T says: Piecemeal compliance could provoke competitive issues initially, but enforcement should create a level playing-field that removes arguments about losing sales and/or visitors. Better consumer education about the impact of cookies would be advantageous, but rather than see cookie menus as an inconvenience, many will feel more secure knowing they are using a compliant website.
Silktide's Oliver Emberton is not calling on websites to ignore the directive - the ICO can impose fines of up to £500,000 for proven non-compliance - but does reckon the risk of prosecution or penalty is "low". The reality is that all EU websites, no matter how large or small, will eventually have to adhere to the new rules, says Rams's Gallego, vice president at industry body ISACA.
One area of concern for ISACA around the directive is the cyber-security implications for geolocation - the identification of the real-world geographic location of an object, such as a mobile phone. Geolocation is a discipline that is now firmly on the Internet-savvy business agenda, Gallego says, as it "can bring tremendous marketing rewards", in the form of geo-marketing activities, targeted-messages, and suchlike.
The new legislation, however, "presents a number of risks to portals that use geolocation. These risks can potentially outweigh the rewards because the site is required to interpret a lot of the data on the user 'in the clear', including location, time and Web-browsing habits."
Therefore, organisations need to be cautious if embracing mobility and the features that come with it, Gallego warns, and ensure even more that data collection from mobile devices is included within their enterprise security strategy, and that mobile devices are integrated within business asset management programmes: "The issue here is that a growing number of mobile devices have corporate information stored on them, and are used for enterprise activities. The cookie directive obliges service providers to explicitly indicate that the browsing session on a given set of Web pages is being tracked/recorded." The directive's implications and implementations pose "difficulties from a security perspective".
|To start a discussion topic about this article, please log in or register.|
"Is augmented reality the next big thing or a marketing gimmick? Is it fundamental to the future or a fashion faux pas?"
- 3 LANE ROADS [01:34 pm 20/05/13]
- Define Energy. [01:25 pm 20/05/13]
- Fukushima Daiichi Unit 3 5th Floor Highly Radioactive Debris [03:09 pm 17/05/13]
- Cluster formation on cooja simulator [01:59 pm 17/05/13]
- DSLAM Power Consumption [01:58 pm 17/05/13]
Tune into our latest podcast