Join us on Facebook
Twitter us on Twitter
< back

LOOK WHAT'S COOKING - The revised EU Law regarding the use of cookies


16/06/2011

A major revision of the E-Privacy Directive has been implemented on 25 May 2011, forcing businesses to alter the way they collect user data from their websites.  The new rules mean that website operators will now only be able to use internet cookies if the user has given their prior permission – this is a major departure from the present law which operates on an opt-out basis.

What does this mean for social commerce?

The new law impacts on nearly all online businesses and most certainly on those with a focus on social commerce.
The success of social commerce is predicated on the use of online collaboration tools, such as shared pick-lists, user ratings and user interactions. These tools require Website operators to use browser cookies, Web beacons and Flash cookies to collect and organise ‘click-stream’ data, develop data warehousing structures and apply data mining algorithms to uncover consumer browsing patterns. Thereby enabling Web operators to track consumer’s behaviour to build up a digital dossier of their shopping activities and interests; such tracking is largely invisible and unknown to the user during an ordinary Web browsing session.
 


To date, organisations have been able to collect and track a vast array of consumer information by using their privacy policies to make generalised statements regarding:

  • Data collection:“…we will automatically collect and store certain other information to enable us to analyse and improve our websites and to provide our customers with a fulfilling online experience. We also collect information regarding customer traffic patterns and site usage…”
  • Consent:”…By using our website, you're agreeing to let us collect and use your non-personal information as we describe in this Privacy Policy.”
  • And opting-out:You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our site. Please note that our advertisers may also use cookies, over which we have no control.

This approach is seen by privacy advocates as giving organisations power to influence a very real consumer with their online purchases, more often than not, without the consumer’s knowledge and this creates a significant imbalance between businesses and the general public.  The revised e-Privacy Directive is intended to redress this imbalance.
The Directive adopts the “affirmative consent model” for targeting and tracking, requiring that consumers explicitly give consent (i.e., opt-in) to data collection and data sharing and thereby increasing the transparency of targeted marketing.

From 25 May 2011 businesses will have to alter their data collection practices and implement mechanisms for obtaining explicit consent before tracking user’s online behaviour.  It is important to note that consent will not be required for cookies that are strictly necessary for a requested service, a good example of this is the use of cookies that underpin shopping baskets in websites.

Is it time to panic?
Well, yes and no.  Yes, because the new law will no doubt require major adjustment in your organisation’s online strategy, that you review and address your own use of cookies and take active steps to ensure you comply with the Directive.

Businesses may be frustrated that the government has stated that it “does not see a one size fits all solution” as being appropriate; the government, therefore has not prescribed the measures that will meet the requirements of the Directive.  However, it has actively and publically supported the cross-industry work on third party cookies in behavioural advertising, largely led by the IAB (Internet Advertising Bureau). The IAB has established a self-regulatory framework which is seen to meet the requirements of the new law by advocating the provision of: (i) more information on the use of cookies accessed through a recognised icon, (ii) a clear privacy policy notice, and (iii) a consumer control page.

Now for the good news...The government generally supports the industry view that the most cost effective and efficient way of obtaining prior consent from the user is by virtue of browser settings (although not in their current form) and intends to continue to pursue the option of using enhanced browser settings to provide users with more information as to the use of cookies and to present easily understandable choices regarding the import of cookies onto their machine.

Your organisation can also take some comfort that the Information Commission will not be taking enforcement action against businesses that are working to address their use of cookies, while work is being done with browser manufacturers to see if enhanced browser settings will meet the requirements of the revised Directive.

The Information Commissioner has promised pragmatic guidance from his office to assist organisations with implementation, but repeated his previous warning that organisations need to “wake up” to the fact that the law is changing. “The time for lobbying was five years ago; the time for compliance is now.”

What you should do…
  • Review your website’s current functionality and use of tracking tools.  Make sure you are aware of the extent of the tracking and targeting that takes place on your organisation’s web pages.
  • If you are a digital or marketing agency, you need to assess the analytical tools and cookie technologies you use to track the success of a client’s consumer campaigns.
  • Review your privacy policy and start assessing what changes you may need to implement.
  • Evaluate how compliance risk is allocated between your organisation as a platform operator, your partners and technology suppliers (e.g. cookies can be first party (those served by the website operator) or third party (served by, say, an ad network provider)).
  • Engage with your industry body and industry peers to assess if there is value in a collaborative approach.


About the author:
Kate Atkin is a partner at the boutique media law firm M Law (www.mlaw.co.uk). 
Kate has extensive legal expertise advising businesses in the field of digital and new media, online marketing and social media and has navigated early adopters through the rapidly changing landscape.
Kate believes that sound and practical legal advice is a pre-requisite to maximising opportunity in the online environment.