Most people (apart from me) find the EU Privacy Directive a little dull… but there’s no denying it is an important issue for all our clients. We’ve been helping some of our clients walk the fine line between compliance and commercial reality.
In January I wrote a blog post – ‘EU cookie directive could make the web less accessible for all’ – in which I highlighted some challenges and concerns around the guidance issued by the ICO.
I stated that it contradicted itself and that the interpretation of the law was inflexible and unworkable for businesses. At the heart of the law is the need for “informed consent” for the storage and retrieval of information on an end user’s device.
The guidance explained that the need for information to qualify as “informed” recognised the varying intrusiveness of cookies and allowed for a proportional approach, but that the action required to create “consent” didn’t have a similar flexibility. However, the examples presented contradicted this by illustrating inferred consent solutions and suggesting collecting consent after placing cookies without explaining when this might be appropriate or how it could be deemed compliant.
This has driven a lot of debate within organisations and amongst digital professionals, as well as a lot of very different solutions ranging from fully compliant, prior explicit consent in the form of light boxes or avoiding placing cookies until consent is given; through to opt out statements in barely visible banners.
Reading between the lines of the ICO guidance it is clear they will focus enforcement energies on cases where no appropriate effort has been made to make users aware, and even then they will be reasonable in encouraging and allowing time for upscaling the response.
Our advice to clients is to understand the spirit of the law and then interpret it in a way which maps to the level of risk the organisation is prepared to take and the context of the business. Here are three examples:
To summarise, we recommend focusing on taking reasonable steps to avoid enforcement rather than full compliance – at least in the short term until it’s clear how companies and the ICO will respond.
We’re continuing to work with our clients to find the right solutions for their business. Contact us to see how we can help you.
Leaving the RCA with my head full of rich interaction design ideas, and arriving at Microsoft as a product designer, showed me a new way of working.
Fuelling the fami...